Snort mailing list archives
Re: Estimating Snort's speed in processing pcaps
From: Pablo Cantos Polaino <pcantos () redborder org>
Date: Thu, 28 May 2015 16:17:00 +0200
Hi Patrik, Could you please paste here the Snort output? Best Regards, Pablo Cantos redborder.org / pcantos () redborder org 2015-05-28 15:00 GMT+02:00 Y M <snort () outlook com>:
Hi Patrik, Things to consider also: 1. The number of preprocessors enabled (HTTP, SMTP, etc.). 2. The configuration of each preporcessor. For example, server_flow_depth and client_flow_depth in http_inspect. 3. The number of rules enabled AND included in your snort.conf. 4. The output plugin used (unified2, full text, log_dump, console). 5. How your HOME_NET and EXTERNAL_NET are configured. All of these may have an impact on how Snot may perform at least when doing live detection. YMDate: Thu, 28 May 2015 17:09:44 +0530 From: pratik.cse.bits () gmail com To: snort-users () lists sourceforge net Subject: [Snort-users] Estimating Snort's speed in processing pcapsDear Snort users, I was recently feeding some pcaps to Snort, and trying to understand how fast it does so. The results are bit surprising and I think I need some help of the experts here... So, I ran: sudo snort -c /etc/snort/snort.conf --pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50 MB, totaling to 200 GB. These files were captured using dumpcap on my University's backbone router, with payloads truncated to 150 bytes. "capinfos" on one such file is given below: capinfos trace_00001_20150502000001.pcap File name: trace_00001_20150502000001.pcap File type: Wireshark/tcpdump/... - libpcap File encapsulation: Ethernet Packet size limit: file hdr: 150 bytes Packet size limit: inferred: 150 bytes Number of packets: 419649 File size: 51200110 bytes Data size: 305514817 bytes Capture duration: 21 seconds Start time: Sat May 2 00:00:01 2015 End time: Sat May 2 00:00:22 2015 Data byte rate: 14640117.49 bytes/sec Data bit rate: 117120939.92 bits/sec Average packet size: 728.02 bytes Average packet rate: 20109.37 packets/sec What astounded me was that Snort took a little more than one hour to go through all of the pcaps. That means more than one file every second - which is amazing!! What I wish to know here - is this processing speed of Snort "pretty normal", or am I missing something here? FWIW, I am running Snort on a server grade machine with 64GB of RAM and 24 cores. Cheers!------------------------------------------------------------------------------_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latestSnort news! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Estimating Snort's speed in processing pcaps Pratik Narang (May 28)
- Re: Estimating Snort's speed in processing pcaps Y M (May 28)
- Re: Estimating Snort's speed in processing pcaps Pablo Cantos Polaino (May 28)
- Re: Estimating Snort's speed in processing pcaps Pratik Narang (May 29)
- Re: Estimating Snort's speed in processing pcaps Pablo Cantos Polaino (May 29)
- Re: Estimating Snort's speed in processing pcaps Pratik Narang (Jun 03)
- Re: Estimating Snort's speed in processing pcaps Pablo Cantos Polaino (May 28)
- Re: Estimating Snort's speed in processing pcaps Y M (May 28)