Snort mailing list archives

Re: Snort sniffing (snorfing?)

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 22 Aug 2001 14:28:57 -0700 (PDT)

On Wed, 22 Aug 2001, Wedge Breaker wrote:

1st time poster - long time listener.


Hah!  We've dragged another one in!  :)

I'm trying to evaluate Snort's ability to just sniff traffic and I need
some help figuring out how to do it.  My goal is to baseline the amount of
traffic snort can handle.  I'll be running Netperf or something to
generate traffic and I want to see if Snort can keep up.

I do know that I can do this:

snort -i eth0 -v > /dev/null

but Marty says in his Snort paper that running in verbose mode is slow.
Is that still the case if I'm dumping to /dev/null?


Yes, it is 'slow' but the term 'slow' depends on what you want to do.

I also know that in Martys' paper, he says that in -b mode (binary
logging) that Snort can keep up with 100Mbit/s traffic.  That may be so,
but I would think that if you wanted optimum sniffability, you wouldn't
want to log any data, just count packets.  Right?


Err...  Well, consider this:  Even though you are ditching output to /dev/null
snort must read the packet (sniff), decode the packet (process), print out the
packet (-v).  If you log to binary with one process, rotate the logs, restart
snort and then post process the packets logged to binary, you are going to get
a much higher rate of traffic.  The 'sniff' process only reads the data from
the wire, then drops it to disk.  No decoding done, no output--other than disk
i/o.  The slow part is the -v option which prints it out to the stdout.

Any suggestions?


Lots!  But I'm not sure if they are useful here. :)  What are you really
trying to achive?  If it's seeing the saturation point at which snort will
start to lose packets, then you should log to binary, and post process.  If
it's now fast it will print to screen and drop packets then use the -v switch.

Sorry I'm not more help, but I'm still working on figuring out what you're
shooting for.  Hope this helped some.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort sniffing (snorfing?) Wedge Breaker (Aug 22)
- Re: Snort sniffing (snorfing?) Erek Adams (Aug 22)
- <Possible follow-ups>
- RE: Snort sniffing (snorfing?) Wedge Breaker (Aug 23)
  - RE: Snort sniffing (snorfing?) Erek Adams (Aug 23)