Snort mailing list archives

Re: Snort's Processing Rate

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 13 Apr 2004 17:34:57 -0400

At 01:53 PM 4/13/2004, Sherif Yusuf wrote:

I hust need to know the maximum (maybe published, doesnt have to be)packet processing rate while using Snort. If I could get a reference towhere this number is stated that would be great.

I don't think there is any single maximum packet processing rate. But forstarters, the sourcefire NS3000 (a VERY highly tuned snort sensor with lotsof add-on utilities, but still runs the same snort code at it's core) israted for wire-speed gigabit ethernet with 0% loss.


http://www.sourcefire.com/products/sensor.html

Of course, I assume that spec is based on full-sized ethernet frames. I'dbe surprised (and impressed!) if they could keep up with gigabit ethernetsaturated with 64byte packets (even most gigabit firewalls can't keep upwith tiny packets at wire-speed). However, such a network load is highlyunrealistic.


I don't know of any efforts offhand to make snort run on 10gb/sec ethernet.

Aside from "interface wire rate" as a hard maximum, Snort's maximumprocessing rate is going to be a function of all of these variables (andprobably some I missed):


        CPU speed and architecture
        IO bus architecture to network interface
        IO bus architecture to system RAM

Available RAM (ie: are you paging? how much is used for diskcaching? etc)

        system load
        variety of PCAP interface
        OS kernel (vm, scheduler, etc)
        ruleset complexity
        system performance tuning
        rate of alert
        IO speed to logging mechanism






-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort's Processing Rate Sherif Yusuf (Apr 13)
- Re: Snort's Processing Rate Matt Kettler (Apr 13)
- <Possible follow-ups>
- RE: Snort's Processing Rate Matt Gibson (Apr 13)
- RE: Snort's Processing Rate Kreimendahl, Chad J (Apr 13)
- RE: Snort's Processing Rate Bob Walder (Apr 14)