Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort sniffing (snorfing?)

From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 23 Aug 2001 08:47:04 -0700 (PDT)

[Not enough coffee yet, so anyone who can jump in here...]

On Thu, 23 Aug 2001, Wedge Breaker wrote:


Just to clarify - you are saying that the background processing that is
performed when using the -v option (even to /dev/null) is more overhead
than writing to disk?  This is pretty much the question I was asking, I
guess I didn't ask it very well the first time.


Exactly.  Consider the fact that the "-v" option writes to STDOUT _and_ does
packet breakdown.  Also, consider that the snaplen in snort is 1514 bytes
whereas in tcpdump it's only 68 bytes.  Think of using snoop (on Solaris) with
the -v mode.  You get each packet broken down in all the little things printed
to screen.  Extra CPU to break it down and print it.  Now, snort doesn't break
it down that much, but it does give you all sorts of packet data.  Headers,
flags, proto, etc.  For it to do all that, it has to spin some cycles to grok
the packet, and print it in a human readable form.


I'm trying to find the saturation point - I don't really care about
printing to the screen (hence /dev/null).  Think of using tcpdump in
streamlined fashion - you want a "high water mark" of how fast can it
sniff.  For tcpdump, I do something like tcpdump -i eth0 > /dev/null
because it can capture more packets that way than any other.  Once you
have a the theoretical maximum, you then have the baseline needed to
determine what kind of traffic causes what kind of performance hit.  You
can always go back to your baseline.  I was trying the same thing with
snort, but it (snort) functions a bit differently than tcpdump.


Gotcha.  Might want to check your benches against "tcpdump -w foo" and "snort
-b ./foo" and compare the same traffic as your "> /dev/null" runs.


This little effort of mine was prompted by the long-winded,
blowhard,vendor bashing stint that took place on focus-ids a while back.
Those yo-yos got me thinking (vendors are good for something I guess ;)
and I figured I'd see what snort could do.  Just trying to establish my
baseline i.e. best possible packet capture performance.


Well, considering that both use libpcap, I'm guessing it will be somewhere in
the same ballpark.  Since I've not done this kind of testing, I'm just
_guessing_.

Hope this helps some!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: