[Snort-users] How To Measure Promiscuous Mode ...
dmourati at ...3877...
Thu Jul 24 11:57:43 EDT 2003
See my answers inline below:
On Thu, 24 Jul 2003, John Crain wrote:
> I read that placing an interface in promiscuous mode increases system
> utilization, but I didn't find any specifics. Does anyone have any
> suggestions on how to measure the impact on a system by placing an
> interface in promiscuous mode?
> Q1: Would the impact on the system be dependent on the number of
> packets the system had to process?
A1: Yes. The load on the system is directly proportional to the
ammount of traffic.
> Q2: To take accurate measurements, would you agree that a packet
> generator would be necessary for testing?
A2: Maybe. If you wanted to do a benchmark, you would need to control
the input, i.e., packets hitting your sensor. Otherwise, you can hook
your sensor up to see real data, measure the load on your sensor box, and
adjust from there.
> Q3: If yes to Q2, is it possible to build a packet generator to spit out
> the exact same type and number of packets for repeated testing?
A3: Sure. A while loop comes to mind ;-)
> Q4: If a sensor interface with no IP address is attached to a SPAN
> port, does the sensor interface need to be in promiscuous mode? (I don't
> believe it does since all packets on the switch/router are being shot at
> the sensor and the sensor has no IP address to discern.)
A4: Yes. Withough putting that interface in promiscuous mode, all the
packets will be dropped as none are destined to the non-existant IP
> Q5: If a sensor interface with an IP address is attached to a SPAN port
> and the interface is not in promiscuous mode, will the sensor interface
> be able to "see" all packets from the SPAN port?
A4: No. Same as above. Just because the packets are on the wire
doesn't mean the interface will pick them up. That's why they call it
promiscuous mode ;-)
Good luck and happy snorting.
dmourati at ...3878...
More information about the Snort-users