Snort mailing list archives
Perf Profiling results/troubleshooting throughput
From: B <dustythepath () gmail com>
Date: Fri, 7 Apr 2017 16:12:16 -0700
Hi,
I am having problems with network throughput and getting hit with a 25-30% performance hit when going through an inline
Snort installation.
Snort is installed as a guest on an EXSI box with an Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz.
All network offloading has been turned off including within the ESXI host via Advanced settings.
Also have done other tweaks with sysctl that have had no real affect.
MTU /Snaplen has not been touched.
Snort does hit 100% CPU during a speedtest.net <http://speedtest.net/> throughput test. When adding Perf Profiling the
throughput became worse.
Others on the list have said bare metal is better, any opinions on that would be welcome.
Below is the Prepocessor performance profile results.
I dont really know what I’m looking at but am asking if s5TcpProcessRebuilt is out of bounds?
Any guidance would be appreciated.
Thanks
Preprocessor Profile Statistics (all)
==========================================================
Num Preprocessor Layer Checks Exits Microsecs Avg/Check Pct of Caller Pct of Total
=== ============ ===== ====== ===== ========= ========= ============= ============
1 s5 0 106726 106726 3896181 36.51 45.34 45.34
1 s5tcp 1 106268 106268 3872032 36.44 99.38 45.06
1 s5TcpState 2 106240 106240 3757429 35.37 97.04 43.73
1 s5TcpFlush 3 4683 4683 28215 6.03 0.75 0.33
1 s5TcpProcessRebuilt 4 4683 4683 3445701 735.79 12211.99 40.10
2 s5TcpBuildPacket 4 4683 4683 20727 4.43 73.46 0.24
2 s5TcpPAF 3 1969 1969 9299 4.72 0.25 0.11
3 s5TcpData 3 63366 63366 101811 1.61 2.71 1.18
1 s5TcpPktInsert 4 54480 54480 78869 1.45 77.47 0.92
2 s5TcpNewSess 2 285 285 1666 5.85 0.04 0.02
2 s5udp 1 458 458 1347 2.94 0.03 0.02
2 frag3 0 4 4 145 36.27 0.00 0.00
1 frag3rebuild 1 2 2 10 5.42 7.47 0.00
2 frag3insert 1 2 2 8 4.28 5.90 0.00
3 detect 0 164819 164819 5627954 34.15 65.50 65.50
1 mpse 1 254861 254861 6212436 24.38 110.39 72.30
2 rule eval 1 336 336 5716 17.01 0.10 0.07
1 rule tree eval 2 336 336 5568 16.57 97.41 0.06
1 preproc_rule_options 3 1 1 12 12.76 0.23 0.00
2 content 3 475 475 4413 9.29 79.25 0.05
3 uricontent 3 1 1 1 1.38 0.02 0.00
4 session 3 106791 106791 135399 1.27 2431.67 1.58
5 flowbits 3 5 5 4 0.86 0.08 0.00
6 flow 3 248 248 61 0.25 1.10 0.00
7 file_data 3 73 73 13 0.18 0.24 0.00
4 httpinspect 0 66291 66291 1237182 18.66 14.40 14.40
5 decode 0 106961 106961 563843 5.27 6.56 6.56
s5TcpProcessRebuilt
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Perf Profiling results/troubleshooting throughput B (Apr 07)