Title: Ericsson Signature
Hi,
Reading the README.1st file in
PF_RING/userland/snort/pfring-daq-module it states that socket
clustering can be used to distribute packets across multiple process
instances. I assume that's how it is possible to get large
throughput with snort as you run many instances. I tried running
snort again without clustering but still no joy.
/usr/local/bin/snort -A console --daq-dir=/usr/local/lib/daq --daq
pfring --daq-var bindcpu=3 -i eth8:eth9 -Q
# ping 192.168.0.10
PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
64 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=2276 ms
64 bytes from 192.168.0.10: icmp_seq=2 ttl=64 time=1276 ms
64 bytes from 192.168.0.10: icmp_seq=3 ttl=64 time=276 ms
64 bytes from 192.168.0.10: icmp_seq=4 ttl=64 time=1278 ms
64 bytes from 192.168.0.10: icmp_seq=5 ttl=64 time=1279 ms
64 bytes from 192.168.0.10: icmp_seq=6 ttl=64 time=1280 ms
64 bytes from 192.168.0.10: icmp_seq=7 ttl=64 time=1282 ms
//Norbert
On 06/03/14 20:34, Luca Deri wrote:
Why do you use a cluster?
On 03/06/2014 08:10 AM, Norbert Furlani wrote:
Hi,
I've downloaded and compiled the latest svn PF_RING and snort
(2.9.6.0).
pf_ring kernel module loaded (ransparent_mode=0
min_num_slots=32768 enable_tx_capture=0)
$ cat /proc/net/pf_ring/info
PF_RING Version : 5.6.3 ($Revision: exported$)
Total rings : 2
Standard (non DNA) Options
Ring slots : 32768
Slot version : 15
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Transparent mode : Yes [mode 0]
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
and snort executed as follows (no rules):-
# /usr/local/bin/snort -A console
--daq-dir=/usr/local/lib/daq --daq pfring --daq-var fast-tx=1
--daq-var clusterid=10,11 --daq-var bindcpu=3 -i eth8:eth9 -Q
I have one host connected on eth8 and one on eth9. When I ping
one host from the other, I see the packet header in the
console and the ICMP replies are received, however the RTTs
are over 1000ms. ssh or ftp across the link is unusable.
By comparison, if I use afpacket daq, performance is
excellent.
On a side note, if I invoke another instance of snort using
pf_ring, I do not see a load balance of packets either.
Anyone have similar problems? I'm thinking of trying ubuntu
13.10 to see if it makes any difference.
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
--
NORBERT FURLANI
IT Begins With US
Ericsson Australia
ITTE Service Delivery Australia
6/153 Bertie Street
Port Melbourne 3207, Australia
Phone +61 3 9301 3239
Mobile +61 416 131 772
[email protected]
www.ericsson.com
This Communication is Confidential. We only send
and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer
|
_______________________________________________
Ntop-misc mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
