Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How To Measure Promiscuous Mode ...

From: Demetri Mouratis <dmourati () cm math uiuc edu>
Date: Thu, 24 Jul 2003 13:56:47 -0500 (CDT)
John,

See my answers inline below:
On Thu, 24 Jul 2003, John Crain wrote:


I read that placing an interface in promiscuous mode increases system
utilization, but I didn't find any specifics. Does anyone have any
suggestions on how to measure the impact on a system by placing an
interface in promiscuous mode?
 Q1: Would the impact on the system be dependent on the number of
packets the system had to process?



A1:     Yes.  The load on the system is directly proportional to the
ammount of traffic.


 Q2: To take accurate measurements, would you agree that a packet
generator would be necessary for testing?



A2:     Maybe.  If you wanted to do a benchmark, you would need to control
the input, i.e., packets hitting your sensor.  Otherwise, you can hook
your sensor up to see real data, measure the load on your sensor box, and
adjust from there.


Q3: If yes to Q2, is it possible to build a packet generator to spit out
the exact same type and number of packets for repeated testing?


A3:     Sure.  A while loop comes to mind ;-)


 Q4: If a sensor interface with no IP address is attached to a SPAN
port, does the sensor interface need to be in promiscuous mode? (I don't
believe it does since all packets on the switch/router are being shot at
the sensor and the sensor has no IP address to discern.)


A4:     Yes.  Withough putting that interface in promiscuous mode, all the
packets will be dropped as none are destined to the non-existant IP
address.


 Q5: If a sensor interface with an IP address is attached to a SPAN port
and the interface is not in promiscuous mode, will the sensor interface
be able to "see" all packets from the SPAN port?


A4:     No.  Same as above.  Just because the packets are on the wire
doesn't mean the interface will pick them up.  That's why they call it
promiscuous mode ;-)



Thanks.

-John



Good luck and happy snorting.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: