Snort mailing list archives
Re: Packet loss more than 60%.
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Mon, 26 Sep 2016 22:14:44 +0000
Does the “Thread(s) per core” mean “threads of Snort, per core”? Because if so, that may be an issue… Are you using PF_RING? Are you distributing the traffic across the cores? Other than that, there are about a million tweaks you can make for performance. But yeah, what ruleset you are running? On Sep 26, 2016, at 6:07 PM, fatema bannatwala <fatema.bannatwala () gmail com<mailto:fatema.bannatwala () gmail com>> wrote: Hi, We have two snort sensors each with 40 cpu cores and running 19 snort instances on CentOS 6.8. I looked at the snort per processes stats on one of the sensors and noticed a less than ideal drop rate: 62.2% 0% dropped 29.5% 1-9% dropped 04.7% 10-19% dropped 02.1% 20-29% dropped 00.8% 30-39% dropped 00.4% 40-49% dropped 00.1% 50-59% dropped 00.1% 60-69% dropped It would make sense that the processes dropping traffic are seeing more traffic, so the total % of packets dropped is likely higher than what the above would indicate. Are there any specific settings that can be tweaked to reduce the capture loss? I think commenting out some rules might be a better approach though. CPU architecture info: Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit CPU(s): 40 On-line CPU(s) list: 0-39 Thread(s) per core: 2 Model name: Intel(R) Xeon(R) CPU E5-2670 v2 @ 2.50GHz Any help would be appreciated. Thanks, Fatema. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Packet loss more than 60%. fatema bannatwala (Sep 26)
- Re: Packet loss more than 60%. Joel Esler (jesler) (Sep 26)
- Re: Packet loss more than 60%. fatema bannatwala (Sep 27)
- Re: Packet loss more than 60%. Joel Esler (jesler) (Sep 26)