[Snort-users] Performance again
mkettler at ...4108...
Tue Dec 23 08:24:01 EST 2003
At 10:55 AM 12/23/2003, Edin Dizdarevic wrote:
>The first question is anyway, what is actually ment by the statistics?
>It would be interessting to know, in which stages of the process a
>packet drop may occur and what is ment by the output/perfmon:
>1. During the capture (and copy from the kernel to the user space)
>2. During the preprocessing/reassembling/decoding
>3. During the pattern matching/alerting
>4. During the output
with libpcap, packets are queued into a buffer for snort to read. That
buffer is a fixed size. When snort reads a packet, it is removed from the
buffer and that space is freed for new packets to arrive.
If new packets arrive and the buffer is full, the old ones are dropped.
Thus, a packet drop is not something that happens within any of the above
stages, it happens when all of 2-4 aren't completed before 1 happens again.
More information about the Snort-users