[Snort-users] packet size
mkettler at ...4108...
Mon Aug 25 12:06:07 EDT 2003
At 02:27 PM 8/25/2003 +0300, Mehmet Ersan TOPALOGLU wrote:
>n case of constant, for example 20Mbit/s rate, network traffic.
>What is the difference between large packets and small packets
>for snort and for libpcap?
>e.g: first case: large packets -> 5000packet/s with 20Mbit/s rate
> second case: small packets -> 20.000 packets/s with 20Mbit/s rate
Well, that's the difference.. higher packets per second means that snort is
going to be called upon to process data more frequently. Now, admittedly
much of the content searching is faster because the packets are shorter,
but there's no gains in the header checks.
I'd expect that overall many short packets per second is much harder on a
snort box than large packets at the same datarate. Snort's going to have to
do more header inspections, and it's going to have to switch in and out of
pcap more often to get all this done.
Someone more familiar with the code might be able answer this more
accurately, but I'd venture to guess snort performance scales linearly with
packet rate, and logarithmically with packet size. In "big O" notation, my
guess would be expressed as O(n * log s), where n is the number of packets
and s is their size.
Of course, the exact numbers will obviously be very complex based on the
number of rules with header checks, what HOME_NET is set to, how many "any
any -> any any" rules are present, what types of packets and plugins are
used, etc. I'm just giving a very rough guess at how the performance scales
in terms of order of magnitude, based on a very limited understanding of
how snort works, and making many gross assumptions about the details of it all.
More information about the Snort-users