[Snort-devel] Output Plugin Delay, Latency, and PPM
korodev at ...2499...
Fri May 6 11:54:37 EDT 2011
I'm pretty sure Jason B fwded this to the snort team, but I wanted to
make sure it made it on the snort-devel list.
I'm currently running 18.104.22.168, with a custom output plugin, and only one
rule loaded which alerts on any icmp packet.
I ran the test below with config ppm: max-pkt-time 100 (microseconds)
tcpdump sees the packet on msk0 at 17:53:40.699582
tcpdump sees the packet on bridge0 at 17:53:40.699585
tcpdump sees the packet leave msk1 at 17:53:40.799122
Custom output plugin first sees the packet at 17:53:41.228636
Custom output plugin is done with all output operations on the packet
The 100 ms delay between entrance at msk0 and exit at msk1 is supposed
to be there as I'm using dummynet to simulate latency. What I'm
confused about is why it's taking ~470 milliseconds for the packet to
reach my output plugin, even when I have config ppm set at 100
Any thoughts or other tests I should run?
More information about the Snort-devel