[Snort-users] two sniffers on the same eth ifc performance impact?

Phil Wood cpw at ...440...
Fri Mar 22 15:04:02 EST 2002


I'm running 5 pcap based applications on one interface, 2 snort and 3 tcpdump
in an environment where 50,000 to 60,000 packets per second is seen on a daily
basis.  Each one has a specific pcap filter, with the exception of a tcpdump
that captures the first 68 bytes of each packet.  Fortunately, I don't see
60,000 packets per second for the entire 24 hour period that I monitor.
These rates happen about 16 times a day for about 30 seconds each time.
I do end up with 40 to 70 Gig pcap files from this particular tcpdump.

The computer running linux 2.4.16 is a Dell dual Pentium III (bogomips == 1979).
It has 4 Gig of memory and 3 75 Gig scsi drives.

Packet loss various depending on the situation.  The tcpdump uses the -w option,
while the snort's are running the full rules set.  Usually the tcpdump 
survives the 24 hour period with no loss.  In order to get snort to perform
better, I've found a periodic cause of the 60,000 packets per second problem.
Since it is actually a "test" from a known host, I filter those particular
packets out with bpf.  

My snorts use the full rule set, since this is more or less a test situation.

For the days Mar 20th and Mar 21st I saw the following stats:

Snort analyzed 360708576 out of 360777644 packets, The kernel dropped 68944(0.019%) packets
Snort analyzed 366924064 out of 367017828 packets, The kernel dropped 93707(0.026%) packets

Tcpdump saw those same packets as well as the "test" packets:

446738790 packets received by filter, 24498 packets dropped by kernel (.0054%)
431988285 packets received by filter, 0 packets dropped by kernel

Hope that helps.

On Fri, Mar 22, 2002 at 04:36:46PM -0500, Anton A. Chuvakin wrote:
> Hi all,
> Just a quick question - I was not able to find an answer anywhere, and my
> thinking process somehow doesn't lead me to an answer this time ;-)
> What is the performance impact of running two sniffers on the same eth0
> interface in UNIX/Linux. For example, for whatever weird reason I want to
> run two snorts or snort and tcpdump? Will it influence the packet drop
> rates? CPU utilization (beyond simply running two processes in place of
> one). My problem is that I can test it in low traffic environment only and
> it will have to be deployed in high-traffic one ;-(
> Thanks a lot in advance!
> Best,
> P.S. I apologize to those who read both focus-ids and snort-users ;-)
> -- 
>      Anton A. Chuvakin, Ph.D.
>      http://www.chuvakin.org
>    http://www.info-secure.org
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list