Snort mailing list archives
Re: Snort + PF_RING + DAQ
From: livio Ricciulli <livio () metaflows com>
Date: Tue, 04 Sep 2012 14:30:47 -0700
The Intel ixgbe(10Gb) driver comes with a script called set_irq_affinity which I use to set the card IRQs to the CPUs - in /proc/interrupts it looks like a descending staircase pattern.
good.
The most recent PF_RING DAQ has a parameter to specifically bind Snort/DAQ instances to CPU ids so I'm using that in a similar loop to the one used to start Snort on the Metaflows site.
The site says: |for| |i ||in| |`||seq| |0 1 23`; ||do||snort -c snort.serv.conf -N -A none -i eth3 --daq-||dir| |/usr/local/lib/daq| |\|
|--daq pfring --daq-var clusterid=10 &| |doneI do not think binding CPU is a good idea..Notice that the IXGBE has 16 queues but we spawn 24 threads with no binding..That was the best performance on our hardware.
|
IIRC you should have as many snort thread as network QUEUE your card have, and you should balance your IRQ on CPU and not CORE, thus if you have 16 dual core cpu, then you chould bind 2 cpu (4 core) to each snort process. I do not know how got your network card driver but mabey you would like to compile it from source. Ref: http://www.intel.com/support/network/adapter/pro100/sb/cs-032530.htm
Pfring uses it's own ixgbe driver..
Also you have alot of tunning depending on how your setup so you can tune your driver to your needs. -elz
On our hardware, we had a slight gain by using hyperthreading using 24 snort processes on a dual X5670 (6 cores+hyperthreading) rather than 12 snort processes like you suggest. Also, as I said, in our tests, letting the CPU roam wild was the best.. But it is hard to generalize.. Peter, what kind of hardware do you have?
- -- Peter Bates Senior Computer Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQRmF/AAoJELhVoVpEMS6R/CYH/RoC34RfyLQRf/SYtTCKjdCf 3c+FGTUds7dsfA0CmKfd3CgjLZUq+uoA2kv3K93zAA8tQtVWnlQAnd+rIehCh4EW h2cVVDBKqPlt+2xZI0icHTvseyiBxStZIEEjrmbJjfntATLKOykfPCi/rknhrm6J qijnwhQJff9162+mZLaUetBIsGkrxzW2+QxZel8Ym3kclstmmrXUHf2xGAKJzsv5 ZzP5VQFZpPJuuaTYisRhpc5qHbjgGiCbMtMKVlITxa7mf7Fis+o2OFwkBk6B2RwS LKZC0+/S3XtJ3e2RE5rbrE0VawD6aaxDu9TkgWzkDbPoyH7jVIU4eURNhB6pCTs= =ZI8P -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort + PF_RING + DAQ, (continued)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Aug 30)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- Re: Snort + PF_RING + DAQ Jack (Sep 04)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- Re: Snort + PF_RING + DAQ Livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
- Re: Snort + PF_RING + DAQ beenph (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ beenph (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Luca Deri (Sep 04)
- Re: Snort + PF_RING + DAQ livio Ricciulli (Sep 04)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 04)
- Re: Snort + PF_RING + DAQ Luca Deri (Sep 10)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 04)
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 05)
- Message not available
- Re: Snort + PF_RING + DAQ Peter Bates (Sep 06)
- Re: Snort + PF_RING + DAQ Joel Esler (Sep 06)