Snort mailing list archives
Re: How To Measure Promiscuous Mode ...
From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Thu, 24 Jul 2003 13:56:47 -0500 (CDT)
John, See my answers inline below: On Thu, 24 Jul 2003, John Crain wrote:
I read that placing an interface in promiscuous mode increases system utilization, but I didn't find any specifics. Does anyone have any suggestions on how to measure the impact on a system by placing an interface in promiscuous mode? Q1: Would the impact on the system be dependent on the number of packets the system had to process?
A1: Yes. The load on the system is directly proportional to the ammount of traffic.
Q2: To take accurate measurements, would you agree that a packet generator would be necessary for testing?
A2: Maybe. If you wanted to do a benchmark, you would need to control the input, i.e., packets hitting your sensor. Otherwise, you can hook your sensor up to see real data, measure the load on your sensor box, and adjust from there.
Q3: If yes to Q2, is it possible to build a packet generator to spit out the exact same type and number of packets for repeated testing?
A3: Sure. A while loop comes to mind ;-)
Q4: If a sensor interface with no IP address is attached to a SPAN port, does the sensor interface need to be in promiscuous mode? (I don't believe it does since all packets on the switch/router are being shot at the sensor and the sensor has no IP address to discern.)
A4: Yes. Withough putting that interface in promiscuous mode, all the packets will be dropped as none are destined to the non-existant IP address.
Q5: If a sensor interface with an IP address is attached to a SPAN port and the interface is not in promiscuous mode, will the sensor interface be able to "see" all packets from the SPAN port?
A4: No. Same as above. Just because the packets are on the wire doesn't mean the interface will pick them up. That's why they call it promiscuous mode ;-)
Thanks. -John
Good luck and happy snorting. --------------------------------------------------------------------- Demetri Mouratis dmourati () linfactory com ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How To Measure Promiscuous Mode ... John Crain (Jul 24)
- Re: How To Measure Promiscuous Mode ... Demetri Mouratis (Jul 24)