[Snort-users] two sniffers on the same eth ifc performance impact?
cpw at ...440...
Fri Mar 22 15:04:02 EST 2002
I'm running 5 pcap based applications on one interface, 2 snort and 3 tcpdump
in an environment where 50,000 to 60,000 packets per second is seen on a daily
basis. Each one has a specific pcap filter, with the exception of a tcpdump
that captures the first 68 bytes of each packet. Fortunately, I don't see
60,000 packets per second for the entire 24 hour period that I monitor.
These rates happen about 16 times a day for about 30 seconds each time.
I do end up with 40 to 70 Gig pcap files from this particular tcpdump.
The computer running linux 2.4.16 is a Dell dual Pentium III (bogomips == 1979).
It has 4 Gig of memory and 3 75 Gig scsi drives.
Packet loss various depending on the situation. The tcpdump uses the -w option,
while the snort's are running the full rules set. Usually the tcpdump
survives the 24 hour period with no loss. In order to get snort to perform
better, I've found a periodic cause of the 60,000 packets per second problem.
Since it is actually a "test" from a known host, I filter those particular
packets out with bpf.
My snorts use the full rule set, since this is more or less a test situation.
For the days Mar 20th and Mar 21st I saw the following stats:
Snort analyzed 360708576 out of 360777644 packets, The kernel dropped 68944(0.019%) packets
Snort analyzed 366924064 out of 367017828 packets, The kernel dropped 93707(0.026%) packets
Tcpdump saw those same packets as well as the "test" packets:
446738790 packets received by filter, 24498 packets dropped by kernel (.0054%)
431988285 packets received by filter, 0 packets dropped by kernel
Hope that helps.
On Fri, Mar 22, 2002 at 04:36:46PM -0500, Anton A. Chuvakin wrote:
> Hi all,
> Just a quick question - I was not able to find an answer anywhere, and my
> thinking process somehow doesn't lead me to an answer this time ;-)
> What is the performance impact of running two sniffers on the same eth0
> interface in UNIX/Linux. For example, for whatever weird reason I want to
> run two snorts or snort and tcpdump? Will it influence the packet drop
> rates? CPU utilization (beyond simply running two processes in place of
> one). My problem is that I can test it in low traffic environment only and
> it will have to be deployed in high-traffic one ;-(
> Thanks a lot in advance!
> P.S. I apologize to those who read both focus-ids and snort-users ;-)
> Anton A. Chuvakin, Ph.D.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users