I am sharing this video as a follow-up to last week’s blog entry about hardware acceleration. With permission from our customer (undisclosed), I captured a very short video clip of sixteen (16) instances of Snort 2.9.x running under a load.
This deployment is the first trial using our implementation of the Snort DAQ module for packet I/O. The video clip shows the performance while handling about 7Gbps of live traffic in a data center. The first screen in the video is the Linux command top displaying load and CPU utilization. The second screen is the output of /proc/net/dev showing packet capture statistics.
This particular sensor is running Debian 6.0 with dual Intel E5620 processors (hyper-threaded), lots of memory, and a Napatech NT20E2 (2 x 10G). No packets are being dropped thanks to the acceleration provided by the Napatech adapter and a custom DAQ module. In my opinion, when using hardware like the Napatech NT20E2 with Snort, the DAQ interface is the way to go, offering better control, performance, and ease of integration.
2 Responses to “Accelerated Snort with a Custom DAQ Module”
This is the exact info. i need. Thanks dude.
Roger that. BTW, the Napatech external DAQ is now available at the the Snort download site:
http://www.snort.org/snort-downloads/external-daq/