Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: packet size

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 25 Aug 2003 15:04:40 -0400
At 02:27 PM 8/25/2003 +0300, Mehmet Ersan TOPALOGLU wrote:

n case of constant, for example 20Mbit/s rate, network traffic.
What is the difference between large packets and small packets
for snort and for libpcap?

e.g: first case: large packets -> 5000packet/s with 20Mbit/s rate
      second case: small packets -> 20.000 packets/s with 20Mbit/s rate
Well, that's the difference.. higher packets per second means that snort is going to be called upon to process data more frequently. Now, admittedly much of the content searching is faster because the packets are shorter, but there's no gains in the header checks.
I'd expect that overall many short packets per second is much harder on a snort box than large packets at the same datarate. Snort's going to have to do more header inspections, and it's going to have to switch in and out of pcap more often to get all this done.
Someone more familiar with the code might be able answer this more accurately, but I'd venture to guess snort performance scales linearly with packet rate, and logarithmically with packet size. In "big O" notation, my guess would be expressed as O(n * log s), where n is the number of packets and s is their size.
Of course, the exact numbers will obviously be very complex based on the number of rules with header checks, what HOME_NET is set to, how many "any any -> any any" rules are present, what types of packets and plugins are used, etc. I'm just giving a very rough guess at how the performance scales in terms of order of magnitude, based on a very limited understanding of how snort works, and making many gross assumptions about the details of it all. 







-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: