[Snort-devel] Output Plugin Delay, Latency, and PPM

beenph beenph at ...2499...
Fri May 6 13:59:39 EDT 2011


Would you have other output pluggin enabled at the same time?
What preprocessor are running?
Have you tried without PPM config?


On Fri, May 6, 2011 at 11:54 AM, Korodev <korodev at ...2499...> wrote:
> Hey guys,
>
> I'm pretty sure Jason B fwded this to the snort team, but I wanted to
> make sure it made it on the snort-devel list.
>
> I'm currently running 2.9.0.5, with a custom output plugin, and only one
> rule loaded which alerts on any icmp packet.
>
> I ran the test below with config ppm: max-pkt-time 100 (microseconds)
>
> tcpdump sees the packet on msk0 at 17:53:40.699582
> tcpdump sees the packet on bridge0 at 17:53:40.699585
> tcpdump sees the packet leave msk1 at 17:53:40.799122
>
> Custom output plugin first sees the packet at 17:53:41.228636
> Custom output plugin is done with all output operations on the packet
> at 17:53:41.228668
>
> The 100 ms delay between entrance at msk0 and exit at msk1 is supposed
> to be there as I'm using dummynet to simulate latency. What I'm
> confused about is why it's taking ~470 milliseconds for the packet to
> reach my output plugin, even when I have config ppm set at 100
> microseconds?
>
> Any thoughts or other tests I should run?
>
> \\korodev
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today.  Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list