[Snort-users] two sniffers on the same eth ifc performance impact?

Anton A. Chuvakin anton at ...5376...
Fri Mar 22 13:37:04 EST 2002

Hi all,

Just a quick question - I was not able to find an answer anywhere, and my
thinking process somehow doesn't lead me to an answer this time ;-)

What is the performance impact of running two sniffers on the same eth0
interface in UNIX/Linux. For example, for whatever weird reason I want to
run two snorts or snort and tcpdump? Will it influence the packet drop
rates? CPU utilization (beyond simply running two processes in place of
one). My problem is that I can test it in low traffic environment only and
it will have to be deployed in high-traffic one ;-(

Thanks a lot in advance!

P.S. I apologize to those who read both focus-ids and snort-users ;-)
     Anton A. Chuvakin, Ph.D.

More information about the Snort-users mailing list