Hi, is your traffic really balanceable evenly? I think this is the problem.
This said, if you use HT and put two snort instances onto the same physical processor, they fight for CPU and in essence this also decreases the performance Luca On 29 Jan 2014, at 23:13, Packet Hack <[email protected]> wrote: > We seem to be having a problem with the hashing functionality of PF_RING. > One snort process appears to be getting the lions share of the packets, > giving it a high drop rate (the percentages below are questionable). > > Jan 29 11:22:03 snorthost snort[12300]: Analyzed: 271306688 > (100.000%) > Jan 29 11:22:03 snorthost snort[12300]: Dropped: 712 ( > 0.000%) > Jan 29 11:22:03 snorthost snort[12302]: Analyzed: 316147617 > (100.000%) > Jan 29 11:22:03 snorthost snort[12302]: Dropped: 1127688 ( > 0.355%) > Jan 29 11:22:03 snorthost snort[12304]: Analyzed: 2154918764 > (100.000%) > Jan 29 11:22:03 snorthost snort[12304]: Dropped: 82205 ( > 0.004%) > > ** Jan 29 11:22:03 snorthost snort[12306]: Analyzed: 1559887127 > (100.000%) > ** Jan 29 11:22:03 snorthost snort[12306]: Dropped: 2889701486 ( > 64.943%) > > Jan 29 11:22:03 snorthost snort[12308]: Analyzed: 278222877 > (100.000%) > Jan 29 11:22:03 snorthost snort[12308]: Dropped: 5283 ( > 0.002%) > Jan 29 11:22:03 snorthost snort[12310]: Analyzed: 500304473 > (100.000%) > Jan 29 11:22:03 snorthost snort[12310]: Dropped: 0 ( > 0.000%) > Jan 29 11:22:03 snorthost snort[12312]: Analyzed: 476476420 > (100.000%) > Jan 29 11:22:03 snorthost snort[12312]: Dropped: 2872 ( > 0.001%) > Jan 29 11:22:03 snorthost snort[12314]: Analyzed: 310040648 > (100.000%) > Jan 29 11:22:03 snorthost snort[12314]: Dropped: 8970 ( > 0.003%) > Jan 29 11:22:03 snorthost snort[12316]: Analyzed: 275970056 > (100.000%) > Jan 29 11:22:03 snorthost snort[12316]: Dropped: 0 ( > 0.000%) > Jan 29 11:22:03 snorthost snort[12318]: Analyzed: 268692346 > (100.000%) > Jan 29 11:22:03 snorthost snort[12318]: Dropped: 0 ( > 0.000%) > Jan 29 11:22:03 snorthost snort[12320]: Analyzed: 472844029 > (100.000%) > Jan 29 11:22:03 snorthost snort[12320]: Dropped: 16234 ( > 0.003%) > Jan 29 11:22:03 snorthost snort[12322]: Analyzed: 414535582 > (100.000%) > Jan 29 11:22:03 snorthost snort[12322]: Dropped: 0 ( > 0.000%) > > We're running 12 snorts like so: > > snort -D -i eth6 --daq pfring --daq-var clustermode=5 --daq-var > clusterid=44 > --daq-var bindcpu=1 -c /etc/snort/snort.conf -l /var/log/snort1 -R 1 > > snort -D -i eth6 --daq pfring --daq-var clustermode=5 --daq-var > clusterid=44 > --daq-var bindcpu=2 -c /etc/snort/snort.conf -l /var/log/snort2 -R 2 > > snort -D -i eth6 --daq pfring --daq-var clustermode=5 --daq-var > clusterid=44 > --daq-var bindcpu=3 -c /etc/snort/snort.conf -l /var/log/snort3 -R 3 > > snort -D -i eth6 --daq pfring --daq-var clustermode=5 --daq-var > clusterid=44 > --daq-var bindcpu=4 -c /etc/snort/snort.conf -l /var/log/snort4 -R 4 > > etc... > > I've tried various settings for the clustermode and the result seems to be the > same. Varying the number of snort processes also doesn't seem to make a > difference, and neither did changing enable_frag_coherence when insmodding > the pf_ring kernel module. > > Anyone have any ideas? > > PF_RING : 5.6.1 > snort : 2.9.5.6 > > % ethtool -k eth6 > Offload parameters for eth6: > rx-checksumming: off > tx-checksumming: off > scatter-gather: off > tcp-segmentation-offload: off > udp-fragmentation-offload: off > generic-segmentation-offload: off > generic-receive-offload: off > large-receive-offload: off > > Thanks, > > -- pckthck > _______________________________________________ > Ntop-misc mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________ Ntop-misc mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-misc
