Snort mailing list archives

RE: gigabit nic?

From: snort-users <snort-users () staff webcentral com au>
Date: Wed, 11 Sep 2002 10:34:48 +1000

I've just recently finished deploying Linux based snort sensors and an ACID
console on my network, so I thought I'd send some of my findings back to the
community.

After doing some GigE proof of concept work with a 3Com 3c996BT
(1000BT/copper) I've ended up using Intel Pro/1000 MF NICs (1000B-SX/fibre).
Both of these cards have "interrupt modularisation" and "TCP
Offload/checksum" features which means the CPU can actually keep up with the
data being thrown at it.  These cards also have 64bit,133MHz PCI/PCIX
interfaces.

During our original testing with a Dlink 4 port 100M card (33bit, 33MHz),
the sensor machine was receiving approx 8000 system interrupts per second
per 100M port.  The Pro 1000MF cards are delivering 5500 interrupts per
second per 1Gbit port.  Due to my network architechure I need to have both
of my SPAN ports arriving in the same box to be able to defragment as
required and not see "duplicate" alerts caused by dual path/equal cost
routing.  It should be noted however that Linux 2.4.18 is only able to
support a 33MHz PCI bus.

using Intel Pro/1000F Server adapters, since all of our Gig
infrastructure uses fiber.  The Linux driver support is good, and the


My sensor machine is a 1266MHz P3 with 256MB RAM and a (second, non disk
subsystem) 64bit PCI bus for the 2 Intel Pro/1000 MF cards (using the
excellent Intel e1000 driver module).  SCSI controller is an Ultra160
Adaptec.  File systems is using LVM.

/etc/modules.conf:
options e1000 RxDescriptors=2048,2048 TxDescriptors=80,80

This is from /proc/net/PRO_LAN_Adapters/eth3.info

Rx_Packets                       2856981123
Rx_Errors                        4527
Rx_CSum_Offload_Good             143639510034
Rx_CSum_Offload_Errors           6886135

I think Rx_Packets is an unsigned 32bit counter, so I'm wrapping every 22
hours. Ish.

kernel) keeps up with a 100Mbit sustained pipe, albeit with a somewhat
tweaked ruleset.  I've seen the traffic on that link spike up to ~


1145 Option Chains linked into 138 Chain Headers

250Mbits, and Snort doesn't barf and I don't show dropped packets.


According to my core switches, I'm sending :

  output rate 248770000 bits/sec, 41521 packets/sec with Total output drops:
80313
  output rate 300219000 bits/sec, 54450 packets/sec with Total output drops:
11977631

But this is a quiet time.  Sustained peaks of 700++Mbits are seen during the
day.

Running one snort process and one barnyard process (alert).

  9:31am  up 28 days, 21:23,  3 users,  load average: 1.89, 1.93, 1.90
40 processes: 36 sleeping, 4 running, 0 zombie, 0 stopped
CPU states: 67.5% user, 32.4% system,  0.0% nice,  0.0% idle
Mem:   256108K av,  251296K used,    4812K free,       0K shrd,   54564K
buff
Swap: 1052248K av,    2212K used, 1050036K free                   94252K
cached

  PID USER     PRI  NI  SIZE  RSS SHARE STAT %CPU %MEM   TIME COMMAND
23942 snort     25   0 24068  22M  1204 R    99.8  9.1 11781m snort
 4621 snort     15   0  1656 1552   684 S     0.0  0.6  27:19 barnyard

 
============================================================================
===
 Snort analyzed -1369552896 out of -1641541576 packets,
 The kernel dropped -276243448(151.454%) packets
 Breakdown by protocol:                Action Stats:
     TCP: -2049327621 (84.632%)         ALERTS: 742392
     UDP: 525098514  (19.789%)         LOGGED: 457706
    ICMP: 69364820   (2.614%)          PASSED: 21064
     ARP: 17076640   (0.644%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 69000925   (2.600%)
 DISCARD: 816        (0.000%)
 
============================================================================
===
 Fragmentation Stats:
 Fragmented IP Packets: 3557042    (0.134%)
     Fragment Trackers: 1514704
    Rebuilt IP Packets: 73002
    Frag elements used: 146039
 Discarded(incomplete): 674577
    Discarded(timeout): 839974
   Frag2 memory faults: 142120
 
============================================================================
===
 TCP Stream Reassembly Stats:
         TCP Packets Used: 1092219664 (41.163%)
          Stream Trackers: 516056675
           Stream flushes: 314379316
            Segments used: 629265834
    Stream4 Memory Faults: 68267975
 
============================================================================
===

Virgil

-- 
WebCentral Pty Ltd           Australia's #1 Internet Web Hosting Company
Level 5, 100 Wickham St.           Network Operations - Systems Engineer
PO Box 930, Fortitude Valley.            email: virgil () webcentral com au
Queensland, Australia 4006.                       phone: +61 7 3230 7176 


-------------------------------------------------------
In remembrance
www.osdn.com/911/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

gigabit nic? Sheahan, Paul (PCLN-NW) (Sep 10)
- Re: gigabit nic? Erek Adams (Sep 10)
- Re: gigabit nic? The infoSphere (Sep 10)
- <Possible follow-ups>
- RE: gigabit nic? Hutchinson, Andrew (Sep 10)
- RE: gigabit nic? Sheahan, Paul (PCLN-NW) (Sep 10)
- RE: gigabit nic? Matt Kettler (Sep 10)
- RE: gigabit nic? Sheahan, Paul (PCLN-NW) (Sep 10)
- RE: gigabit nic? Matt Kettler (Sep 10)
- RE: gigabit nic? snort-users (Sep 10)
- RE: gigabit nic? Robby Desmond (Sep 15)
- RE: gigabit nic? Michael Brown (Sep 15)