Snort mailing list archives

RE: 2.1.3rc1 Performance

From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Wed, 19 May 2004 16:32:11 -0500

Tcpreplay 2 rocks

http://sourceforge.net/projects/tcpreplay/

Capture a tcpdump file (with 3.7.2 (since we know it works))... Then
play it back.

You'll know for sure then whether 0.7.2 or 0.8.3 (or both) misbehave. 

-----Original Message-----
From: Gary_Portnoy () itginc com [mailto:Gary_Portnoy () itginc com] 
Sent: Wednesday, May 19, 2004 3:39 PM
To: Dirk Geschke
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] 2.1.3rc1 Performance

netstat -ni reports all the packets since the last reboot, not really 
helpful.
Running two instances side by side doesn't really work since i can't 
launch them both or kill them both at exactly the same time.

The only way to verify that would be to inject a known amount of packets

on the wire and see which version reports the correct value.  Can anyon 
recommend a tool for packet generation?  I am thinking I'd like to
create 
like 400,000 packets and inject them on the wire at 5mbps and see which 
version reports the truth.

Thanks,
-------------------------------------------
Gary Portnoy





Dirk Geschke <Dirk () geschke-online de>
05/19/2004 03:47 PM

 
        To:     Gary_Portnoy () itginc com
        cc:     snort-users () lists sourceforge net
        Subject:        RE: [Snort-users] 2.1.3rc1 Performance


Hi Gary,

The question remains however, which version is misreporting

statistics? 
I

suspect 0.8.3 since it reported 128.633% drop rate at one point.


hmm, drop/(recv+drop) shoule never exceed 100% or recv must be 
negative...

Or is 0.8.3 just that much slower? 

Anyone care to comment?


Can you verify how many packets were really on the wire
during your snort runs?

I think 'netstat -ni' should be helpful or a parallel snoop run 
on the sniffed interface. Maybe the old libpcap returned wrong
values?

Best regards

Dirk









-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+-
This message is for the named person's use only. This communication is
for 
informational purposes only and has been obtained from sources believed
to 
be reliable, but it is not necessarily complete and its accuracy cannot
be 
guaranteed. It is not intended as an offer or solicitation for the
purchase
or sale of any financial instrument or as an official confirmation of
any
transaction. Moreover, this material should not be construed to contain
any
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify
the
sender. You must not, directly or indirectly, use, disclose, distribute,

print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the
individual
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+-



-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id%62&alloc_ida84&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: 2.1.3rc1 Performance, (continued)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
  - SnortCenter-Acid-SuSE byte_test issue Mike Feetham (May 19)
    - Re: SnortCenter-Acid-SuSE byte_test issue AJ Butcher, Information Systems and Computing (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
  - RE: 2.1.3rc1 Performance Dirk Geschke (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
  - RE: 2.1.3rc1 Performance Darren Webb (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance John Creegan (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance snort user (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)