Snort mailing list archives
Re: Linux parameters
From: Phil Wood <cpw () lanl gov>
Date: Thu, 11 Apr 2002 10:16:28 -0600
On Wed, Apr 10, 2002 at 02:15:53PM -0400, larosa, vjay wrote:
Hello, Does anyone know if the following parameters in linux affect packet capture performance with snort in any way. /proc/sys/net/core/rmem_max /proc/sys/net/core/rmem_default
I thought I knew what those were, but the mind is going. I know they
come into play when iovecs are involved. And that is what is used to
define the ring that is in my version of libpcap.
I hit a limit of 32768 iovecs. It might be possible to increase it.
I tried half heartedly about a year back with no success. The iovec
structure is
struct iovec
{
void *iov_base; /* Pointer to data. */
size_t iov_len; /* Length of data. */
};
It is used to define a frame on a ring. The kernel allocates a buffer
to contain a ring of iovecs, which matches the one constructed in
libpcap (ala Alexey). libpcap allocates shared memory, initializes
it, and allocates some vanilla memory to contain a list of iovecs that
structure the memory. The kernel also allocates an iovec structure
and uses the same algorithm to parsel up the shared memory.
It would be interesting if doubling the rmem_max would then allow libpcap
to utilize a larger ring buffer. I have defined a maximum in my version
of libpcap of 32768, so it would be necessary to rebuild the library.
Also does snort make use of the Linux Packet Filter option if it is compiled in to the kernel?
snort doesn't. It's a linux libpcap thing. To get the max performance (on linux), you need my cut on libpcap. Check out: http://public.lanl.gov/cpw But, be sure to read the code first. %^) Phil
Thanks! vjl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linux parameters larosa, vjay (Apr 10)
- Re: Linux parameters Phil Wood (Apr 11)