Snort mailing list archives
RE: 2.1.3rc1 Performance
From: "John Creegan" <jcreegan () questarweb com>
Date: Wed, 19 May 2004 16:37:51 -0500
I think you might be able to kill or launch multiple instances if you create a shellscript to kill or launch each instance (you'd have to know the PID of each) and use cron to call the kill or launch scripts. It might not be down to the nanosecond, but it'll be darn close. Make sure two specify two separate cron table entries to do this, both with the same date/time spec. Chaining the two events together on one line with a semicolon would defeat the purpose.
<Gary_Portnoy () itginc com> 05/19/04 03:38PM >>>
netstat -ni reports all the packets since the last reboot, not really
helpful.
Running two instances side by side doesn't really work since i can't
launch them both or kill them both at exactly the same time.
The only way to verify that would be to inject a known amount of packets
on the wire and see which version reports the correct value. Can anyon
recommend a tool for packet generation? I am thinking I'd like to create
like 400,000 packets and inject them on the wire at 5mbps and see which
version reports the truth.
Thanks,
-------------------------------------------
Gary Portnoy
Dirk Geschke <Dirk () geschke-online de>
05/19/2004 03:47 PM
To: Gary_Portnoy () itginc com
cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 2.1.3rc1 Performance
Hi Gary,
The question remains however, which version is misreporting statistics?
I
suspect 0.8.3 since it reported 128.633% drop rate at one point.
hmm, drop/(recv+drop) shoule never exceed 100% or recv must be negative...
Or is 0.8.3 just that much slower? Anyone care to comment?
Can you verify how many packets were really on the wire during your snort runs? I think 'netstat -ni' should be helpful or a parallel snoop run on the sniffed interface. Maybe the old libpcap returned wrong values? Best regards Dirk -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- This message is for the named person's use only. This communication is for informational purposes only and has been obtained from sources believed to be reliable, but it is not necessarily complete and its accuracy cannot be guaranteed. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Moreover, this material should not be construed to contain any recommendation regarding, or opinion concerning, any security. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ITG Inc. reserves the right to monitor and archive all electronic communications through its network. ITG Inc. Member NASD, SIPC -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure,copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: 2.1.3rc1 Performance, (continued)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- SnortCenter-Acid-SuSE byte_test issue Mike Feetham (May 19)
- Re: SnortCenter-Acid-SuSE byte_test issue AJ Butcher, Information Systems and Computing (May 20)
- SnortCenter-Acid-SuSE byte_test issue Mike Feetham (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Dirk Geschke (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Darren Webb (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance John Creegan (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance snort user (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)