Snort 3.0 performance issue

[Qinwen Hu <qhu009 () aucklanduni ac nz>]

Hi everyone.

I am using Snort++ 3.0 to do some performance tests. We set up two
scenarios:
1. Running a single flow on a 100Gb high-speed network. Both Pcap and
AFPack DAQ work as expected. AF_Packet captured all the packets and no
packet loss.  PCAP dropped few packets.

2. Running multiple flows with different delays on the same network.  This
time  AFPacket had a bad performance when we compared with PCAP in terms of
the received packet.  For instance

daq (Pcap)
                 received: 695471792
                 analyzed: 14603352
                  dropped: 680868440

daq (AFPacket)
                 received: 16774888
                 analyzed: 16774888
                  dropped: 699072874

> From my understanding, I thought AFPacket will have a better performance
than PCAP.  But why I got different results in here? Besides, I am
wondering, when I can configure the search methods( ac-bnfa, ac_q or ac-split)
in Snort 3.0?


Here is some information about our testing service

Version:Snort++ 3.0.0-243
CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores

Thank you very much.

Best regards,

Steven

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette