Snort mailing list archives
RE: Snort sniffing (snorfing?)
From: Erek Adams <erek () theadamsfamily net>
Date: Thu, 23 Aug 2001 08:47:04 -0700 (PDT)
[Not enough coffee yet, so anyone who can jump in here...] On Thu, 23 Aug 2001, Wedge Breaker wrote:
Just to clarify - you are saying that the background processing that is performed when using the -v option (even to /dev/null) is more overhead than writing to disk? This is pretty much the question I was asking, I guess I didn't ask it very well the first time.
Exactly. Consider the fact that the "-v" option writes to STDOUT _and_ does packet breakdown. Also, consider that the snaplen in snort is 1514 bytes whereas in tcpdump it's only 68 bytes. Think of using snoop (on Solaris) with the -v mode. You get each packet broken down in all the little things printed to screen. Extra CPU to break it down and print it. Now, snort doesn't break it down that much, but it does give you all sorts of packet data. Headers, flags, proto, etc. For it to do all that, it has to spin some cycles to grok the packet, and print it in a human readable form.
I'm trying to find the saturation point - I don't really care about printing to the screen (hence /dev/null). Think of using tcpdump in streamlined fashion - you want a "high water mark" of how fast can it sniff. For tcpdump, I do something like tcpdump -i eth0 > /dev/null because it can capture more packets that way than any other. Once you have a the theoretical maximum, you then have the baseline needed to determine what kind of traffic causes what kind of performance hit. You can always go back to your baseline. I was trying the same thing with snort, but it (snort) functions a bit differently than tcpdump.
Gotcha. Might want to check your benches against "tcpdump -w foo" and "snort -b ./foo" and compare the same traffic as your "> /dev/null" runs.
This little effort of mine was prompted by the long-winded, blowhard,vendor bashing stint that took place on focus-ids a while back. Those yo-yos got me thinking (vendors are good for something I guess ;) and I figured I'd see what snort could do. Just trying to establish my baseline i.e. best possible packet capture performance.
Well, considering that both use libpcap, I'm guessing it will be somewhere in the same ballpark. Since I've not done this kind of testing, I'm just _guessing_. Hope this helps some! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort sniffing (snorfing?) Wedge Breaker (Aug 22)
- Re: Snort sniffing (snorfing?) Erek Adams (Aug 22)
- <Possible follow-ups>
- RE: Snort sniffing (snorfing?) Wedge Breaker (Aug 23)
- RE: Snort sniffing (snorfing?) Erek Adams (Aug 23)