Snort mailing list archives
Linux Ring buffer packet capture vs. normal capture
From: Scott Zawalski <scott.zawalski () web de>
Date: Thu, 20 Nov 2003 18:31:20 -0800
I have been using Phil's libpcap with ring buffer support for quite some time enjoying about half as much packet drop on my gigabit connection compared to normal libpcap. However, I then reverted back to the regular libpcap to do some testing and I noticed that without phil's patch snort gathers larger amounts of packets quicker. Why is this? Is the ring buffer just silently being overwritten when snort is not able to process all the packets being picked up? Is this in a sense creating a blind eye to me making me think I am viewing more traffic than I really am?
I am using Kernel 2.4.22 P4 2 Ghz 1Gig RIMM 800MHZ Intel Pro/1000 T Server (e1000 driver) Data points (Snort and TCPDUMP)this is my benchmarking "test," yes I know it is not the most scientific, but it is a quick throw together.
snort -i eth1 -c /etc/snort/snort.conf -D ; sleep 10 ; kill -SIGUSR1 `pidof snort`
With ring Nov 20 18:15:37 dpgsnrt snort: Snort analyzed 621169 out of 759204 packets, Nov 20 18:15:37 dpgsnrt snort: dropping 138035(18.182%) packets without ringNov 20 18:17:06 dpgsnrt snort.noring: Snort analyzed 1699386 out of 3264616 packets, Nov 20 18:17:06 dpgsnrt snort.noring: dropping 1565230(47.945%) packets Note the packets gathered without ring support ~3 million packets were gathered.
With ring support only ~800k were gathered. TCPDUMP w/Ring bufferdpgsnrt [ ~/download/tcpdump-2003.11.20 ]:time ./tcpdump -i eth1 -s 1500 -w /dev/null -c 100000
tcpdump: WARNING: eth1: no IPv4 address assignedtcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 1500 bytes
100000 packets captured 107952 packets received by filter 7850 packets dropped by kernel real 0m0.672s user 0m0.080s sys 0m0.580s TCPDUMP without Ring bufferdpgsnrt [ ~/download/libpcap-0.8.1104 ]:time tcpdump -i eth1 -s 1500 -w /dev/null -c 100000
tcpdump: WARNING: eth1: no IPv4 address assigned tcpdump: listening on eth1 442501 packets received by filter 342471 packets dropped by kernel real 0m2.893s user 0m0.240s sys 0m2.070sNote the time differences. With ring support the time is extremely low. However, without ring buffer it took ~3 times as long.
What am I missing here. I have read a little bit about Ring buffer but I am far from understanding it completely. Is the modified libpcap not gathering all the packets I am getting and just silently overwriting its buffer?
Thank you for your time I know its long! Scott ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linux Ring buffer packet capture vs. normal capture Scott Zawalski (Nov 20)