Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with Snort3 multi-threaded on FreeBSD

From: Michael Altizer via Snort-users <snort-users () lists snort org>
Date: Fri, 1 Dec 2017 15:19:55 -0500
On 11/30/2017 12:14 PM, Dalten 22 via Snort-users wrote:

FreeBSD 11.1 amd64 - 4 cores
DAQ: Netmap
Background:  I have Snort3 is running very well with the following command:  snort -c /opt/snort/etc/snort/snort.lua -i igb0:igb1 --daq netmap -Q -u snort -g snort &
While that works well enough, if I tell it to use 4 threads like so, I get some errors in the console after about 10 seconds.
snort -c /opt/snort/etc/snort/snort.lua -i igb0:igb1 --daq netmap -Q -u snort -g snort -z 4 & 

Commencing packet processing
++ [0] igb0:igb1
++ [1] igb0:igb1
++ [2] igb0:igb1
++ [3] igb0:igb1
Set GID to 8888
Set UID to 8888
Can't acquire (-1) - netmap_daq_acquire: Encountered error condition on a packet socket 
-- [1] igb0:igb1
Can't acquire (-1) - netmap_daq_acquire: Encountered error condition on a packet socket 
-- [2] igb0:igb1
Can't acquire (-1) - netmap_daq_acquire: Encountered error condition on a packet socket 
-- [0] igb0:igb1
Snort3 still runs but top only reports it's using 2 threads, the same as if you don't specify -z. 

Thank you,

Aaron
The current Snort multiple packet threads solution still must instantiate a DAQ module instance in each packet thread to use as its packet source (no internal loadbalancing solution).  This means that each packet thread must follow the same rules as a Snort 2 instance would when it comes to opening the packet source.  So, just like if you tried to run four Snort 2 instances all trying to use the same two netmap interfaces, the second through fourth attempts to open those "busy" interfaces will fail.  I haven't kept up with netmap - if they have implemented something like AFPacket's fan-out loadbalancing functionality, the DAQ module could potentially be enhanced to support that and then be able to open the interfaces multiple times (with different loadbalancing IDs or something conceptually similar) as the afpacket DAQ module was. 
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: