Snort mailing list archives
Estimating Snort's speed in processing pcaps
From: Pratik Narang <pratik.cse.bits () gmail com>
Date: Thu, 28 May 2015 17:09:44 +0530
Dear Snort users, I was recently feeding some pcaps to Snort, and trying to understand how fast it does so. The results are bit surprising and I think I need some help of the experts here... So, I ran: sudo snort -c /etc/snort/snort.conf --pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50 MB, totaling to 200 GB. These files were captured using dumpcap on my University's backbone router, with payloads truncated to 150 bytes. "capinfos" on one such file is given below: capinfos trace_00001_20150502000001.pcap File name: trace_00001_20150502000001.pcap File type: Wireshark/tcpdump/... - libpcap File encapsulation: Ethernet Packet size limit: file hdr: 150 bytes Packet size limit: inferred: 150 bytes Number of packets: 419649 File size: 51200110 bytes Data size: 305514817 bytes Capture duration: 21 seconds Start time: Sat May 2 00:00:01 2015 End time: Sat May 2 00:00:22 2015 Data byte rate: 14640117.49 bytes/sec Data bit rate: 117120939.92 bits/sec Average packet size: 728.02 bytes Average packet rate: 20109.37 packets/sec What astounded me was that Snort took a little more than one hour to go through all of the pcaps. That means more than one file every second - which is amazing!! What I wish to know here - is this processing speed of Snort "pretty normal", or am I missing something here? FWIW, I am running Snort on a server grade machine with 64GB of RAM and 24 cores. Cheers! ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Estimating Snort's speed in processing pcaps Pratik Narang (May 28)
- Re: Estimating Snort's speed in processing pcaps Y M (May 28)
- Re: Estimating Snort's speed in processing pcaps Pablo Cantos Polaino (May 28)
- Re: Estimating Snort's speed in processing pcaps Pratik Narang (May 29)
- Re: Estimating Snort's speed in processing pcaps Pablo Cantos Polaino (May 29)
- Re: Estimating Snort's speed in processing pcaps Pratik Narang (Jun 03)
- Re: Estimating Snort's speed in processing pcaps Pablo Cantos Polaino (May 28)
- Re: Estimating Snort's speed in processing pcaps Y M (May 28)