[Snort-users] packet size

Matt Kettler mkettler at ...4108...
Mon Aug 25 12:06:07 EDT 2003

At 02:27 PM 8/25/2003 +0300, Mehmet Ersan TOPALOGLU wrote:
>n case of constant, for example 20Mbit/s rate, network traffic.
>What is the difference between large packets and small packets
>for snort and for libpcap?
>e.g: first case: large packets -> 5000packet/s with 20Mbit/s rate
>       second case: small packets -> 20.000 packets/s with 20Mbit/s rate

Well, that's the difference.. higher packets per second means that snort is 
going to be called upon to process data more frequently. Now, admittedly 
much of the content searching is faster because the packets are shorter, 
but there's no gains in the header checks.

I'd expect that overall many short packets per second is much harder on a 
snort box than large packets at the same datarate. Snort's going to have to 
do more header inspections, and it's going to have to switch in and out of 
pcap more often to get all this done.

Someone more familiar with the code might be able answer this more 
accurately, but I'd venture to guess snort performance scales linearly with 
packet rate, and logarithmically with packet size. In "big O" notation, my 
guess would be expressed as O(n * log s), where n is the number of packets 
and s is their size.

Of course, the exact numbers will obviously be very complex based on the 
number of rules with header checks, what HOME_NET is set to, how many "any 
any -> any any" rules are present, what types of packets and plugins are 
used, etc. I'm just giving a very rough guess at how the performance scales 
in terms of order of magnitude, based on a very limited understanding of 
how snort works, and making many gross assumptions about the details of it all.

More information about the Snort-users mailing list