Snort mailing list archives
Re: two sniffers on the same eth ifc performance impact?
From: Phil Wood <cpw () lanl gov>
Date: Fri, 22 Mar 2002 16:03:52 -0700
Anton, I'm running 5 pcap based applications on one interface, 2 snort and 3 tcpdump in an environment where 50,000 to 60,000 packets per second is seen on a daily basis. Each one has a specific pcap filter, with the exception of a tcpdump that captures the first 68 bytes of each packet. Fortunately, I don't see 60,000 packets per second for the entire 24 hour period that I monitor. These rates happen about 16 times a day for about 30 seconds each time. I do end up with 40 to 70 Gig pcap files from this particular tcpdump. The computer running linux 2.4.16 is a Dell dual Pentium III (bogomips == 1979). It has 4 Gig of memory and 3 75 Gig scsi drives. Packet loss various depending on the situation. The tcpdump uses the -w option, while the snort's are running the full rules set. Usually the tcpdump survives the 24 hour period with no loss. In order to get snort to perform better, I've found a periodic cause of the 60,000 packets per second problem. Since it is actually a "test" from a known host, I filter those particular packets out with bpf. My snorts use the full rule set, since this is more or less a test situation. For the days Mar 20th and Mar 21st I saw the following stats: Snort analyzed 360708576 out of 360777644 packets, The kernel dropped 68944(0.019%) packets Snort analyzed 366924064 out of 367017828 packets, The kernel dropped 93707(0.026%) packets Tcpdump saw those same packets as well as the "test" packets: 446738790 packets received by filter, 24498 packets dropped by kernel (.0054%) 431988285 packets received by filter, 0 packets dropped by kernel Hope that helps. On Fri, Mar 22, 2002 at 04:36:46PM -0500, Anton A. Chuvakin wrote:
Hi all, Just a quick question - I was not able to find an answer anywhere, and my thinking process somehow doesn't lead me to an answer this time ;-) What is the performance impact of running two sniffers on the same eth0 interface in UNIX/Linux. For example, for whatever weird reason I want to run two snorts or snort and tcpdump? Will it influence the packet drop rates? CPU utilization (beyond simply running two processes in place of one). My problem is that I can test it in low traffic environment only and it will have to be deployed in high-traffic one ;-( Thanks a lot in advance! Best, P.S. I apologize to those who read both focus-ids and snort-users ;-) -- Anton A. Chuvakin, Ph.D. http://www.chuvakin.org http://www.info-secure.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- two sniffers on the same eth ifc performance impact? Anton A. Chuvakin (Mar 22)
- Re: two sniffers on the same eth ifc performance impact? Phil Wood (Mar 22)