Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Performance comparison between V2 and V3 (rev1)

From: Min-gyu Jeon via Snort-devel <snort-devel () lists snort org>
Date: Tue, 26 Feb 2019 14:19:54 +0900
 Hello,

Some updates here...
Test conditions are all same as before but mentioned.
(https://seclists.org/snort/2019/q1/208)

Trial 1. *(change config)*
: Applied the latest perf/3.0, perf/2.9 config provided by snort_demo repo
(pulled on 2019-02-25)
=>  SnortV3 has shown better performance (more than 250%). On the other
side, V2 perf has gone poor (below 50%).

=======RESULT1===========
V3 vs V2 (1 thread/process)

V3: 42K pps (CPU 100%)
V2: 6K pps (CPU 100%)
==========================

=======RESULT1===========
V3 vs V2 (24 threads/process)

=> V3: 520K pps (CPU 2300%)
=> V2: 170K pps (CPU 2380%)
==========================

Trial 2. *(change in stream_tcp->ports value only in V2, could not in V3)*
Adjusting some config variables, I figured out that the reason for V2's
decrease in performance was
stream_tcp's value "ports all". (reassemble on all ports)
If I **apply the default setting for stream_tcp->ports (reassemble only on
specific ports) of v2.9.11.1**,
the result is as below. (In V3 I could not set up stream_tcp.port/ports)

=======RESULT1===========
V3 vs V2 (1 thread/process)

V3: 42K pps (CPU 100%)
V2: 22K pps (CPU 100%)
==========================

=======RESULT1===========
V3 vs V2 (24 threads/process)

=> V3: 550K pps (CPU 2200%)
=> V2: 440K pps (CPU 2390%)
==========================

...
If the above reasoning is right, the left job is to figure out what ports
are V3 listening in default.
If V3 is reassembling all ports, Trial 1's result seems right.
If not, Trial 2's results seems an approximate. (need more adjustment on
ports in this case)
Any idea/feedbacks will be very helpful.

Sincerely,

Jeon


2019년 2월 22일 금요일, Russ <rucombs () cisco com>님이 작성:


OK.  Be sure to pull the latest fixes 2.9/repeat.sh and adds some
validation scripts.




_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: