[Snort-users] Performance again

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Dec 23 06:20:02 EST 2003


Hi all,

I would like you to take a look on this:

http://www.truesec.de/Perfmon.html

It is the output of the performance monitor. I'm trying to find out,
which network parameters have the greatest influence on Snort's
performance:

1. Many open sessions
2. Big packets
3. System load
4. Internals
5. Alert Count
6. ...

and so on.

Therefore I took out some lines from my perfmon.log and tried to
compare different situations, in which Snort were loosing packets.

My first conclusion is, that the bigger the packets are, the more
packets are being dropped, while the open sessions count has almost
no influence. Interessting, that Snort will handle more than 700
sessions simultaneously with no packet loss :) (I only included
the lines where packet drops occured).

I would like any comments on this, and if available, results from the
performance monitor.

The results are from Snort 2.0.5 but I'll do the same with Snort 2.1.0
soon. That may be more interessting. ;)

The machine is Linux 2.4.22, PW pcap, PIII 1GHz, 512MB RAM, WD HD UDMA5.

Regards,
Edin

-- 
Edin Dizdarevic





More information about the Snort-users mailing list