IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: challenges in capturing Gigabit ethernet

From: hank.schupp () mantech-ist com
Date: 28 Dec 2005 02:57:34 -0000
I've tried some experiments with collecting at high-speed off gigabit cards.  Created a test system that generated 
traffic at varied rates from 10 mbs to 1 gbs.  Though the cards themselves reported very little loss (Endace products) 
the ability to write the data to disk started failing around 250 mbs.  Though I intend to continue testing in the near 
future I first see that I need to become a little smarter on storage and which is the quickest for write-speed. 

Understand also that the tests were not done under the most scientific conditions - still repeated testing showed our 
breakdown was primarily the ability to write the data to disk and not the gigabit card's ability to process the data.

The next question would be, if we COULD write to disk as fast as we collected the data, at which point do other factors 
such as the OS, the CPU, the memory, or the aplication itself become a factor?  

The testing I am doing is for a Windows-based application and, as such, I have not yet looked at the same conditions 
under *nix.  I have some interest in that area though so may see what I can find out there as well.  

I know I have seen other folks discuss these same concerns here in the past.  I seem to recall someone else having 
found the ability to write to disk a severe limitation.  Mind you that most ID/IPS system do not try to write every 
packet to disk - they usually only write the packet or session that that triggered an event.  So, for IDS/IPS sensors 
any speed limitations tend to deal with how much "analysis" must be done on the traffic passing by/through the sensor.  
The more rules in effect - the less they are able to process.  Which is a big reason why "tuning" of sensors to your 
network is so important.  Normalizing the sensor to your particular network configuration, addressing scheme, etc. will 
reduce a LOT of the false positives.  Disabling rules that do not apply to your network also improves the sensor's time 
to spend analyzing the traffic you DO determine is valid.  

OK folks ... Flame on!  <grin>

Hank  

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: