Snort mailing list archives
Re: Snort sniffing (snorfing?)
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 22 Aug 2001 14:28:57 -0700 (PDT)
On Wed, 22 Aug 2001, Wedge Breaker wrote:
1st time poster - long time listener.
Hah! We've dragged another one in! :)
I'm trying to evaluate Snort's ability to just sniff traffic and I need some help figuring out how to do it. My goal is to baseline the amount of traffic snort can handle. I'll be running Netperf or something to generate traffic and I want to see if Snort can keep up. I do know that I can do this: snort -i eth0 -v > /dev/null but Marty says in his Snort paper that running in verbose mode is slow. Is that still the case if I'm dumping to /dev/null?
Yes, it is 'slow' but the term 'slow' depends on what you want to do.
I also know that in Martys' paper, he says that in -b mode (binary logging) that Snort can keep up with 100Mbit/s traffic. That may be so, but I would think that if you wanted optimum sniffability, you wouldn't want to log any data, just count packets. Right?
Err... Well, consider this: Even though you are ditching output to /dev/null snort must read the packet (sniff), decode the packet (process), print out the packet (-v). If you log to binary with one process, rotate the logs, restart snort and then post process the packets logged to binary, you are going to get a much higher rate of traffic. The 'sniff' process only reads the data from the wire, then drops it to disk. No decoding done, no output--other than disk i/o. The slow part is the -v option which prints it out to the stdout.
Any suggestions?
Lots! But I'm not sure if they are useful here. :) What are you really trying to achive? If it's seeing the saturation point at which snort will start to lose packets, then you should log to binary, and post process. If it's now fast it will print to screen and drop packets then use the -v switch. Sorry I'm not more help, but I'm still working on figuring out what you're shooting for. Hope this helped some. ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort sniffing (snorfing?) Wedge Breaker (Aug 22)
- Re: Snort sniffing (snorfing?) Erek Adams (Aug 22)
- <Possible follow-ups>
- RE: Snort sniffing (snorfing?) Wedge Breaker (Aug 23)
- RE: Snort sniffing (snorfing?) Erek Adams (Aug 23)