Snort mailing list archives
Re: Query about the performance
From: Jeff Murphy <jeff.murphy () gmail com>
Date: Thu, 9 Jun 2011 09:03:52 -0400
On Jun 9, 2011, at 3:59 AM, Gaurav Suryagandh wrote:
Basically with a fairly good quality of hardware ( 96GB RAM and couple of multi-core processors) will i be able to capture at line rate of 10Gbps with finite number of rules around (64- spanning across, L2, L3 and application)?
My experience has been that you'll need around 24 cores, a controlled approach to the types and quantities of rules you deploy, and an understanding of what type of traffic mix you expect. I'd prioritize in that order. Memory, while important, is less of a factor than say cores or bus throughput. jeff
Thanks, Gaurav On 06/08/2011 08:58 PM, Steven Sturges wrote:I'm not entirely sure of what you are trying to do, so it is tough to answer specifically. The capture rate is affected by a number of factors -- speed of the hardware, drivers, kernel, DAQ module being used, etc. Beyond the above, the performance of Snort itself is also affected by the number of rules, memory settings, etc. Snort is definitely capable of looking at packets in the context of other packets in the flow leveraging Stream and/or flowbits. On 6/8/11 5:54 AM, Gaurav Suryagandh wrote:Hi All, I am trying to incorporate snort in my application for packet filtering. I have two questions regarding the same. 1) how much is snort's packet capture rate ? 2) Can we filter packets based on flow ? Thanks, Gaurav ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Query about the performance Gaurav Suryagandh (Jun 08)
- Re: Query about the performance Jeff Murphy (Jun 08)
- Re: Query about the performance Steven Sturges (Jun 08)
- Re: Query about the performance Gaurav Suryagandh (Jun 09)
- Re: Query about the performance Jeff Murphy (Jun 09)
- Re: Query about the performance Martin Holste (Jun 09)
- Re: Query about the performance Jeff Murphy (Jun 09)
- Re: Query about the performance Gaurav Suryagandh (Jun 09)