Re: Sebek benchmarks?

[Edward Balas <ebalas () iu edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NAHieu wrote:

| Hello,
|
| I am figuring out how much overhead Sebek costs on Linux 2.6
| environment. I looked everywhere for a document that carried out
| any benchmark on Sebek, but to no avail. Does such a paper/document
|  exists, but I dont know??
|
| If it doesnt, I would like to run some benchmarks myself. I imagine
|  that these kind of benchmarks are necessary: - Filesystem
| benchmark (because Sebek patches some I/O related syscalls) -
| Network benchmark (Sebek patches socket syscall) - ... (what more
| ?)
|
| Anybody could please recommend me exactly which (standard)
| benchmarks I should run? I will post the result to the list.
|
| Many thanks. Hieu


Hieu,

I would recommend looking at the following.

1.  The most frequent system calls that sebek v3 monitors are the
sys_open and sys_read call if I recall correctly.

2.  If you are doing keystroke only monitoring, then you are only
recording the sys_reads with length of 1. This will reduce the
performance hit.

3.   Network performance wont be impacted all that much by the
sys_socket call, but you will see an impact from the sebek data
export, if nothing else  you will see a decrease in LAN bandwith
equivalent to the amount that is consumed by sebek in the export
process.

4.  It should also be noted that packet export is to some extent
decoupled from the actual collection of system call data.  ie we
record the interesting data and then put it on a tx queue for it to be
exported later.  So this type of decoupling may slightly complicate
profiling.

Id love to see what you come up with.

Edward

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Red Hat - http://enigmail.mozdev.org

iD8DBQFDw9S5lKB5oSzVKwoRAjjiAJ9JAg0xaMXm3ddbImVjyZYWTxm1sgCfX6nz
og7+OGmyscsHJCGTn4iw7FU=
=aFya
-----END PGP SIGNATURE-----