We seem to be having a problem with the hashing functionality of PF_RING.
One snort process appears to be getting the lions share of the packets,
giving it a high drop rate (the percentages below are questionable).
Jan 29 11:22:03 snorthost snort[12300]: Analyzed: 271306688
(100.000%)
Jan 29 11:22:03 snorthost snort[12300]: Dropped: 712 (
0.000%)
Jan 29 11:22:03 snorthost snort[12302]: Analyzed: 316147617
(100.000%)
Jan 29 11:22:03 snorthost snort[12302]: Dropped: 1127688 (
0.355%)
Jan 29 11:22:03 snorthost snort[12304]: Analyzed: 2154918764(100.000%)
Jan 29 11:22:03 snorthost snort[12304]: Dropped: 82205 (
0.004%)
** Jan 29 11:22:03 snorthost snort[12306]: Analyzed: 1559887127
(100.000%)
** Jan 29 11:22:03 snorthost snort[12306]: Dropped: 2889701486 (
64.943%)
Jan 29 11:22:03 snorthost snort[12308]: Analyzed: 278222877
(100.000%)
Jan 29 11:22:03 snorthost snort[12308]: Dropped: 5283 (
0.002%)
Jan 29 11:22:03 snorthost snort[12310]: Analyzed: 500304473
(100.000%)
Jan 29 11:22:03 snorthost snort[12310]: Dropped: 0 (
0.000%)
Jan 29 11:22:03 snorthost snort[12312]: Analyzed: 476476420
(100.000%)
Jan 29 11:22:03 snorthost snort[12312]: Dropped: 2872 (
0.001%)
Jan 29 11:22:03 snorthost snort[12314]: Analyzed: 310040648
(100.000%)
Jan 29 11:22:03 snorthost snort[12314]: Dropped: 8970 (
0.003%)
Jan 29 11:22:03 snorthost snort[12316]: Analyzed: 275970056
(100.000%)
Jan 29 11:22:03 snorthost snort[12316]: Dropped: 0 (
0.000%)
Jan 29 11:22:03 snorthost snort[12318]: Analyzed: 268692346
(100.000%)
Jan 29 11:22:03 snorthost snort[12318]: Dropped: 0 (
0.000%)
Jan 29 11:22:03 snorthost snort[12320]: Analyzed: 472844029
(100.000%)
Jan 29 11:22:03 snorthost snort[12320]: Dropped: 16234 (
0.003%)
Jan 29 11:22:03 snorthost snort[12322]: Analyzed: 414535582
(100.000%)
Jan 29 11:22:03 snorthost snort[12322]: Dropped: 0 (
0.000%)
We're running 12 snorts like so:
snort -D -i eth6 --daq pfring --daq-var clustermode=5 --daq-var
clusterid=44
--daq-var bindcpu=1 -c /etc/snort/snort.conf -l /var/log/snort1 -R 1
snort -D -i eth6 --daq pfring --daq-var clustermode=5 --daq-var
clusterid=44
--daq-var bindcpu=2 -c /etc/snort/snort.conf -l /var/log/snort2 -R 2
snort -D -i eth6 --daq pfring --daq-var clustermode=5 --daq-var
clusterid=44
--daq-var bindcpu=3 -c /etc/snort/snort.conf -l /var/log/snort3 -R 3
snort -D -i eth6 --daq pfring --daq-var clustermode=5 --daq-var
clusterid=44
--daq-var bindcpu=4 -c /etc/snort/snort.conf -l /var/log/snort4 -R 4
etc...
I've tried various settings for the clustermode and the result seems to be
the
same. Varying the number of snort processes also doesn't seem to make a
difference, and neither did changing enable_frag_coherence when insmodding
the pf_ring kernel module.
Anyone have any ideas?
PF_RING : 5.6.1
snort : 2.9.5.6
% ethtool -k eth6
Offload parameters for eth6:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
Thanks,
-- pckthck
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
