Re: 2.1.3rc1 Performance

[Gary_Portnoy () itginc com]

> Maybe you should recompile the old snort version with the actual libpcap
> and try this version again to have a "real" comparison?

I just recompiled 2.1.1rc1 with the newer version of libpcap, and whereas 
before no packets were dropped, now I am also seeing the same packet loss 
as with 2.1.3rc1.  So it looks like i need to go chase down the version of 
libpcap that was used to compile snort in the past.  I need to check on 
libpcre as well, since when i was configuring my build environment, I 
downloaded and compiled them all from scratch...  Otherwise I am out of 
ideas.

Grrrrr...
-Gary-
-------------------------------------------
Gary Portnoy




Dirk Geschke <Dirk_Geschke () genua de>
05/19/2004 11:11 AM

 
        To:     Gary_Portnoy () itginc com
        cc:     Dirk Geschke <Dirk_Geschke () genua de>, snort-users () lists sourceforge net, 
Dirk_Geschke () genua de
        Subject:        Re: [Snort-users] 2.1.3rc1 Performance


Hi Gary,

> The rules were the same, i just changed the link to the snort binary, so 

> that's not it. 

that's good. 

> Did pcre get rewritten, because it's been supported for a while now??? 

I am not sure, but I fear it is a performance penalty to use regular
expressions to match against a network packet.

> As for the libpcap question, i'll try to find out, because someone else 
> compiled the 2.1.1 binary on a different machine.  But the 2.1.3rc1 that 
I 
> compiled, libpcap is the most recent version 0.8.3.  In fact, i can 
almost 
> quarantee that it was a different version since 0.8.3 was released on 
> March 30 and I've had the 2.1.1 binary since before then.  But shouldn't 

> the newer version of libpcap be faster and more efficient?

Yes and no. But sometimes newer releases introduces newer bugs/problems.
(So maybe this counts for snort too.)

It also depends on your operating system. If you use linux then you should
use the ring buffere libpcap version of Phil Wood at 

      http://public.lanl.gov/cpw/

With older libpcap versions on linux I have seen some strange 
interpretation
of statistics and especially the RedHat version used a complete different
kind how statistics are counted.

Maybe you should recompile the old snort version with the actual libpcap
and try this version again to have a "real" comparison?

Best regards

Dirk









-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
This message is for the named person's use only. This communication is for 
informational purposes only and has been obtained from sources believed to 
be reliable, but it is not necessarily complete and its accuracy cannot be 
guaranteed. It is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation of any
transaction. Moreover, this material should not be construed to contain any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute, 
print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-



-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users