Snort mailing list archives
Re: Intel X520 and Multi-Queue Snort
From: Mike Lococo <mikelococo () gmail com>
Date: Fri, 13 May 2011 11:24:12 -0400
On 05/13/2011 09:30 AM, Martin Holste wrote:
One more thing I'll add: we've also run Endace in the past, but we only got a small performance improvement because Snort quickly becomes CPU-bound. Obviously, at speeds over 1 gig you're going to have a huge packet collection overhead (which Endace will eliminate), but remember that if at speeds of < 1 gig you are CPU bound, you'll be even more CPU bound at > 1 gig.
I couldn't agree more that CPU is the biggest challenge at higher-throughputs, and that the "capture-acceleration" features on Endace cards, while useful, are sometimes oversold. You might primarily have experience with Endace cards that don't offer multiple load-balanced queues, the feature is called "hash-based load-balancing" or "HLB" in Endace product literature. Some cards have it and others don't, and its rare on cards from more than ~3 years ago. Where it exists, it allows you to scale to multiple CPU's in much the same way PFRING does.
Unless you're doing heavy BPF filtering or are running just a few rules, you're going to need at least 16 cores to do significant pattern matching at over a gig with zero drops.
16!??! I currently monitor a link that has a daily peak of about 1.5 gigabits per second of actual traffic with 4 snort-processes, and I run about 7000 rules selected from VRT and ET with close to zero packet-loss. Each CPU with a snort process tends to run 60%-80% utilized. I definitely have disabled some heavy rule categories and manually tuned out some inefficient sids, but I've had discussions with a number of folks who also monitor their packet loss statistics and have found that 250-350mbits/second per cpu is very achievable with just a small amount of tuning. That said, the 10gig cards I'm testing are in a 32-cpu system with 256gigs of ram, so I'm hoping it will scale close to the 10gig line-rate with minimal loss. Time will tell if I find another bottleneck somewhere. Best Regards, Mike Lococo ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 12)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Will Metcalf (May 12)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 13)
- Re: Intel X520 and Multi-Queue Snort beenph (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 13)
- Re: Intel X520 and Multi-Queue Snort Mike Lococo (May 12)
- Re: Intel X520 and Multi-Queue Snort Martin Holste (May 12)
- <Possible follow-ups>
- Intel X520 and Multi-Queue Snort Mike Lococo (May 12)