Snort mailing list archives
Re: TCP stream processing performance
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 28 Jun 2016 02:04:17 +0000
TCP segment traffic has to be reassembled/reordered in the correct format before rules are applied. The same thing goes for fragmented traffic. If there are a lot of fragments Frag3 has to reassemble them. <http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00323000000000000000><http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00323000000000000000>http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html#SECTION00323000000000000000 Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com<mailto:allewi () cisco com> From: Kevin Wang <kevin.wang () Istuary com<mailto:kevin.wang () Istuary com>> Date: Monday, June 27, 2016 at 5:59 PM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] TCP stream processing performance Hello, I am looking at Snort performance and I found that in the Preprocessor profile statistics, “s5” or “s5tcp” is taking a lot of time. My understanding is that s5tcp is for TCP stream reassembly and the time taking is mostly due to the buffering and mis-ordered packets. The actually processing by the CPU is relatively short. Is my understanding correct or there is other intense processing going on? Thanks, Kevin Email Disclaimer & Confidentiality Notice This message is confidential and intended solely for the use of the recipient to whom they are addressed. If you are not the intended recipient you should not deliver, distribute or copy this e-mail. Please notify the sender immediately by e-mail and delete this e-mail from your system. Copyright © 2016 by Istuary Innovation Labs, Inc. All rights reserved.
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- TCP stream processing performance Kevin Wang (Jun 27)
- Re: TCP stream processing performance Victor Roemer (Jun 27)
- Re: TCP stream processing performance Kevin Wang (Jun 28)
- <Possible follow-ups>
- Re: TCP stream processing performance Al Lewis (allewi) (Jun 27)
- Re: TCP stream processing performance Victor Roemer (Jun 27)