Re: Recording slow scans

["Marcus J. Ranum" <mjr () nfr net>]

Darren Reed wrote:
> Have a look at what RealSecure (ISS's offering) requires on NT4.0:
> 200MHz Pentium, 128MB+ RAM, etc.  From observing it run, it doesn't
> appear to be "because it's NT".  I assume it is from it keeping a
> large amount of data about connections past and present "in core".

I don't recall exact numbers, but on a saturated FDDI, an NFR
that was doing filtering was tracking something like 60,000
simultaneous connections, at 17,000 packets per second. That took
some RAM and CPU - about 128MB and a 400Mhz box. You flat out
can't do that kind of thing on a desktop where a user is also
doing "work" - at 17,000 packets per second, doing a pageout
to disk means you lose 6 packets, unless you've got some truly
hellacious buffering going on in there in which case you can
double the RAM requirement. (and unless you've got a multiprocessor
kernel which handles shared memory MP *fast* the buffering won't
help a lot because you can never catch up to drain the buffer)
At 17,000 packets/second, just running IP checksums eats a big
chunk of your CPU - we had to completely re-code checksumming
to make it a couple times faster than what the BSD guys use.

There are lots of folks out there who think this stuff is really
really easy. It's not. This is not kid stuff.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr