Run Snort

Running Snort on Linux

Platform
Napatech SmartNIC
Content Type
Application Note
Capture Software Version
Link™ Capture Software 12.5

About this task

This example assumes the following hardware configuration:
  • Number of CPU cores: 2 × 4 × hyper-threading = 16
  • NUMA Nodes: 2
  • Only one SmartNIC enabled
Napatech libpcap devices by default use a fast segment-based interface than does not support merging packets between SmartNICs. If you need to enable more than one SmartNIC, you have two options:
  • Avoid the need for packet merge between SmartNICs by adding port tests, as described in DN-0449.
  • Set up libpcap devices for packet merge between SmartNICs, as described in DN-0428.

Steps

To take advantage of the multi-CPU distribution feature of Napatech Link™ Capture Software when running Snort, perform the following steps.

Procedure

  1. In the /opt/napatech3/config/ntservice.ini file, define exactly as many host buffers as the number of Snort instances you are planning to run.
    [Adapter0]
    # NT20E2 and NT4E adapters were used in the performance tests
    AdapterType=NT20E2
    
    # Use "lspci | grep Napatech" command to get BusId if in doubt
    BusId=00:0a:00:00
        
    # Define 8 host buffer on NUMA node 0
    # and 8 host buffers on NUMA node 1
    # Define exactly as many host buffers as there are
    # Snort instances – 16 in this example.
    HostBuffersRx=[8,16,0],[8,16,1]
  2. Use the lscpu command to determine the mapping of CPUs to NUMA nodes.
    # lscpu | grep NUMA
    NUMA node(s):          2
    NUMA node0 CPU(s):     0-3,8-11
    NUMA node1 CPU(s):     4-7,12-15
  3. Apply NTPL to configure streams and their affinity to NUMA nodes. This example creates 16 streams that will be available for Snort through the pcap DAQ as nt3g0 - nt3g15.
    Delete=All
    
    HashMode=Hash5TupleSorted
    
    Assign[StreamId=(0..15)]=All
    
    Setup[NUMANode=0]=StreamId==0,1,2,3,8,9,10,11
    Setup[NUMANode=1]=StreamId==4,5,6,7,12,13,14,15
    This table summarizes the Snort instances affinity to CPU cores for various number of Snort instances.
    CPU core NUMA Node 0 NUMA Node 1
    0 1 2 3 8 9 10 11 4 5 6 7 12 13 14 15
    Number of Snort instances 4 0 1 - - - - - - 2 3 - - - - - -
    8 0 1 2 3 - - - - 4 5 6 7 - - - -
    12 0 1 2 3 8 9 - - 4 5 6 7 10 11 - -
    16 0 1 2 3 8 9 10 11 4 5 6 7 12 13 14 15
        Stream numbers
  4. Start the Snort instances one per CPU core. Each instance must have a CPU affinity set using the taskset command.
    # taskset -c <cpu> /usr/local/snort/bin/snort -i <nt3g#> -A fast -K none -N -b -c /usr/local/snort/etc/snort.conf