[Snort-devel] Output Plugin Delay, Latency, and PPM

Korodev korodev at ...2499...
Fri May 6 11:54:37 EDT 2011


Hey guys,

I'm pretty sure Jason B fwded this to the snort team, but I wanted to
make sure it made it on the snort-devel list.

I'm currently running 2.9.0.5, with a custom output plugin, and only one
rule loaded which alerts on any icmp packet.

I ran the test below with config ppm: max-pkt-time 100 (microseconds)

tcpdump sees the packet on msk0 at 17:53:40.699582
tcpdump sees the packet on bridge0 at 17:53:40.699585
tcpdump sees the packet leave msk1 at 17:53:40.799122

Custom output plugin first sees the packet at 17:53:41.228636
Custom output plugin is done with all output operations on the packet
at 17:53:41.228668

The 100 ms delay between entrance at msk0 and exit at msk1 is supposed
to be there as I'm using dummynet to simulate latency. What I'm
confused about is why it's taking ~470 milliseconds for the packet to
reach my output plugin, even when I have config ppm set at 100
microseconds?

Any thoughts or other tests I should run?

\\korodev




More information about the Snort-devel mailing list