Re: Snort 3 Architecture

[Russ via Snort-devel <snort-devel () lists snort org>]

Hey Simon,

Snort 3 currently has one thread per packet source, whether that be a 
network interface or pcap.  You can configure that with -z or 
--max-packet-threads.  All processing of a given packet is within the 
thread associated with its source.  You can set CPU affinity for packet 
threads via the process module.  The architecture will evolve over time 
to support hardware offload and elephant flows (too big for a single core).

Please keep us posted on your results or if you have any questions about 
tuning for comparison with Snort 2.

Thanks
Russ

On 7/23/17 4:03 AM, Simon Dzn via Snort-devel wrote:
> Hey all,
>
> I am writing an article regarding to Snort 3 performance and I'm 
> having trouble finding a reliable resource on the current architecture.
> I saw in the Snort 3 documentation the difference in the packet 
> processing but couldn't find out if you are creating a thread for each 
> packet or several threads for detection.
>
> Thanks and have a great day!
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!