Snort mailing list archives

Re: Snort 3.0 performance issue

From: "Carter Waxman \(cwaxman\) via Snort-users" <snort-users () lists snort org>
Date: Tue, 19 Jun 2018 16:47:14 +0000

If these were taken with a similar run time, your performance is better with AFPacket. Analyzed is the number of 
packets actually processed by Snort. In PCAP, received means “seen by libpcap,” since its managing its own packet 
queuing above the network driver, where in AFPacket it means “pulled off of the driver’s queue before being pruned.” In 
both cases, dropped represents “pruned from underlying queue / not seen by Snort.”

From: Snort-users <snort-users-bounces () lists snort org> on behalf of Qinwen Hu <qhu009 () aucklanduni ac nz>
Date: Saturday, June 16, 2018 at 6:24 PM
To: "snort-users () lists snort org" <snort-users () lists snort org>
Subject: [Snort-users] Snort 3.0 performance issue

Hi everyone.

I am using Snort++ 3.0 to do some performance tests. We set up two scenarios:
1. Running a single flow on a 100Gb high-speed network. Both Pcap and AFPack DAQ work as expected. AF_Packet captured 
all the packets and no packet loss.  PCAP dropped few packets.

2. Running multiple flows with different delays on the same network.  This time  AFPacket had a bad performance when we 
compared with PCAP in terms of the received packet.  For instance

daq (Pcap)
                 received: 695471792
                 analyzed: 14603352
                  dropped: 680868440

daq (AFPacket)
                 received: 16774888
                 analyzed: 16774888
                  dropped: 699072874

From my understanding, I thought AFPacket will have a better performance than PCAP.  But why I got different results in 
here? Besides, I am wondering, when I can configure the search methods( ac-bnfa, ac_q or ac-split) in Snort 3.0?

Here is some information about our testing service

Version:Snort++ 3.0.0-243
CPU: Intel(R) Xeon(R) Gold 6136 CPU @ 3.00GHz * 24 cores

Thank you very much.

Best regards,

Steven

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Snort 3.0 performance issue Qinwen Hu (Jun 16)
- Re: Snort 3.0 performance issue Carter Waxman (cwaxman) via Snort-users (Jun 19)
  - Re: Snort 3.0 performance issue Qinwen Hu (Jun 19)
    - Re: Snort 3.0 performance issue Carter Waxman (cwaxman) via Snort-users (Jun 20)
    - Re: Snort 3.0 performance issue PUllarao via Snort-users (Jun 20)
    - Fwd: Snort 3.0 performance issue Виктор Сурин via Snort-users (Jun 21)