This is just an update for the ml: there is a new DNA-DAQ available that solves this issue with Snort 2.9.5
Alfredo On Jul 18, 2013, at 3:18 PM, Scott Finlon <[email protected]> wrote: > Alright, now PF_RING 5.5.3 and Snort 2.9.4.6 are on both boxes, and the CPU > on the new box is still at 100%. > > Scott Finlon, CISSP > ----------------------------------------- > Information Security Engineer > The University of Scranton > Email : [email protected] > Phone : 570-941-6168 > ----------------------------------------- > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Alfredo > Cardigliano > Sent: Thursday, July 18, 2013 8:25 AM > To: [email protected] > Subject: Re: [Ntop-misc] PF_RING / DNA + Snort > > Yes, please try with the same version and let us know > > Thanks > Alfredo > > On Jul 18, 2013, at 2:03 PM, Scott Finlon <[email protected]> wrote: > >> >>> are you also using the same pf_ring version? (looking for differences >>> first of all) >> >> The new box has a newer version of PF_RING on it. >> New box: >> PF_RING Version : 5.6.1 ($Revision: 6565$) >> Total rings : 8 >> >> Old Box: >> PF_RING Version : 5.5.3 ($Revision: 6109$) >> Total rings : 8 >> >> Do you want me to drop the new box back to 5.5.3? The old box is still in >> production, so I don't want to upgrade that one yet if it's PF_RING that is >> causing the issues. >> >> Scott Finlon, CISSP >> ----------------------------------------- >> Information Security Engineer >> The University of Scranton >> Email : [email protected] >> Phone : 570-941-6168 >> ----------------------------------------- >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Alfredo >> Cardigliano >> Sent: Thursday, July 18, 2013 4:12 AM >> To: [email protected] >> Subject: Re: [Ntop-misc] PF_RING / DNA + Snort >> >> Scott >> are you also using the same pf_ring version? (looking for differences >> first of all) >> >> Alfredo >> >> On Jul 18, 2013, at 3:30 AM, Scott Finlon <[email protected]> wrote: >> >>> Alfredo, >>> At first I was using a slightly different config because I was utilizing 16 >>> threads instead of 8, but when I turned off hyper threading i went back to >>> using the exact same config. >>> PF_RING with the DNA DAQ, 8 queues, identical traffic, right now in the >>> summer with no students on campus we are only seeing a few hundred Mbps so >>> the older box is at 10ish % CPU utilization while the new box is at 100%. >>> >>> Is there any config you would like to see specifically? >>> >>> Thank you! >>> -Scott >>> >>> >>> On Jul 17, 2013, at 4:19 PM, "Alfredo Cardigliano" <[email protected]> >>> wrote: >>> >>>> Hi Scott >>>> are you using the same configuration on the two boxes? could you provide >>>> more details about configuration? >>>> >>>> Best Regards >>>> Alfredo >>>> >>>> On Jul 17, 2013, at 9:31 PM, Scott Finlon <[email protected]> >>>> wrote: >>>> >>>>> Yes, both MSI-X and PCIE v3 are supported. >>>>> I disabled HT because that is one of the only differences between >>>>> the two boxes, the old machine has two E5-2609's which aren't HT >>>>> capable, and the new machine has two E5-2660's which are. >>>>> >>>>> Scott Finlon, CISSP GCIA >>>>> ----------------------------------- >>>>> Information Security Engineer >>>>> The University of Scranton >>>>> email : [email protected] >>>>> phone : 570-941-6168 >>>>> ----------------------------------- >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 7/17/13 3:20 PM, "Ritter, Nicholas" >>>>> <[email protected]> >>>>> wrote: >>>>> >>>>>> Does the new box support MSI-X and/or PCIe v3? I would think that >>>>>> disabling HT (as in HyperThreading) would be the last thing you >>>>>> would want to do. >>>>>> >>>>>> >>>>>> ________________________________________ >>>>>> From: [email protected] >>>>>> [[email protected]] on behalf of Scott Finlon >>>>>> [[email protected]] >>>>>> Sent: Wednesday, July 17, 2013 1:52 PM >>>>>> To: [email protected] >>>>>> Subject: [Ntop-misc] PF_RING / DNA + Snort >>>>>> >>>>>> I am in the process of moving Snort from an older box to a new box. >>>>>> Both are RHEL 6 x64, both with the same NICs. >>>>>> I am using PF_RING/DNA to split traffic across CPU cores on the >>>>>> box, and can verify using pf_count_multichanel that traffic is >>>>>> being split the way it should be. >>>>>> >>>>>> I compiled Snort on the new box fresh, but copied the configs over. >>>>>> The old box CPU is currently sitting around 10%, the new box has >>>>>> the cores pegged at 99-100%. >>>>>> >>>>>> I disabled HT on the new box, but the CPU is still maxed. >>>>>> >>>>>> This looks like more of a Snort issue, not so much PF_RING, but I >>>>>> asked over there and they aren't sure what might be the cause. >>>>>> Anyone have any other ideas of what might be causing this to happen? >>>>>> >>>>>> >>>>>> Scott Finlon, CISSP GCIA >>>>>> ----------------------------------- >>>>>> Information Security Engineer >>>>>> The University of Scranton >>>>>> email : [email protected] >>>>>> phone : 570-941-6168 >>>>>> ----------------------------------- >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop-misc mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>>> _______________________________________________ >>>>>> Ntop-misc mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>>> >>>>> >>>>> _______________________________________________ >>>>> Ntop-misc mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> >>>> _______________________________________________ >>>> Ntop-misc mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >>>> >>> >>> _______________________________________________ >>> Ntop-misc mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc >> >> >> _______________________________________________ >> Ntop-misc mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc _______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
