Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: two sniffers on the same eth ifc performance impact?

From: Phil Wood <cpw () lanl gov>
Date: Fri, 22 Mar 2002 16:03:52 -0700
Anton,

I'm running 5 pcap based applications on one interface, 2 snort and 3 tcpdump
in an environment where 50,000 to 60,000 packets per second is seen on a daily
basis.  Each one has a specific pcap filter, with the exception of a tcpdump
that captures the first 68 bytes of each packet.  Fortunately, I don't see
60,000 packets per second for the entire 24 hour period that I monitor.
These rates happen about 16 times a day for about 30 seconds each time.
I do end up with 40 to 70 Gig pcap files from this particular tcpdump.

The computer running linux 2.4.16 is a Dell dual Pentium III (bogomips == 1979).
It has 4 Gig of memory and 3 75 Gig scsi drives.

Packet loss various depending on the situation.  The tcpdump uses the -w option,
while the snort's are running the full rules set.  Usually the tcpdump 
survives the 24 hour period with no loss.  In order to get snort to perform
better, I've found a periodic cause of the 60,000 packets per second problem.
Since it is actually a "test" from a known host, I filter those particular
packets out with bpf.  

My snorts use the full rule set, since this is more or less a test situation.

For the days Mar 20th and Mar 21st I saw the following stats:

Snort analyzed 360708576 out of 360777644 packets, The kernel dropped 68944(0.019%) packets
Snort analyzed 366924064 out of 367017828 packets, The kernel dropped 93707(0.026%) packets

Tcpdump saw those same packets as well as the "test" packets:

446738790 packets received by filter, 24498 packets dropped by kernel (.0054%)
431988285 packets received by filter, 0 packets dropped by kernel

Hope that helps.

On Fri, Mar 22, 2002 at 04:36:46PM -0500, Anton A. Chuvakin wrote:

Hi all,

Just a quick question - I was not able to find an answer anywhere, and my
thinking process somehow doesn't lead me to an answer this time ;-)

What is the performance impact of running two sniffers on the same eth0
interface in UNIX/Linux. For example, for whatever weird reason I want to
run two snorts or snort and tcpdump? Will it influence the packet drop
rates? CPU utilization (beyond simply running two processes in place of
one). My problem is that I can test it in low traffic environment only and
it will have to be deployed in high-traffic one ;-(

Thanks a lot in advance!

Best,
P.S. I apologize to those who read both focus-ids and snort-users ;-)
-- 
     Anton A. Chuvakin, Ph.D.
     http://www.chuvakin.org
   http://www.info-secure.org



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: