[Snort-users] Linux Ring buffer packet capture vs. normal capture

Scott Zawalski scott.zawalski at ...5689...
Thu Nov 20 18:32:02 EST 2003


I have been using Phil's libpcap with ring buffer support for quite some 
time enjoying about half as much packet drop on my gigabit connection 
compared to normal libpcap. However, I then reverted back to the regular 
libpcap to do some testing and I noticed that without phil's patch snort 
gathers larger amounts of packets quicker. Why is this? Is the ring 
buffer just silently being overwritten when snort is not able to process 
all the packets being picked up? Is this in a sense creating a blind eye 
to me making me think I am viewing more traffic than I really am?

I am using
Kernel 2.4.22
P4 2 Ghz
1Gig RIMM 800MHZ
Intel Pro/1000 T Server (e1000 driver)


Data points (Snort and TCPDUMP)

this is my benchmarking "test," yes I know it is not the most 
scientific, but it is a quick throw together.

snort -i eth1 -c /etc/snort/snort.conf -D ; sleep 10 ; kill -SIGUSR1 
`pidof snort`

With ring

Nov 20 18:15:37 dpgsnrt snort: Snort analyzed 621169 out of 759204 packets,
Nov 20 18:15:37 dpgsnrt snort: dropping 138035(18.182%) packets

without ring

Nov 20 18:17:06 dpgsnrt snort.noring: Snort analyzed 1699386 out of 
3264616 packets,
Nov 20 18:17:06 dpgsnrt snort.noring: dropping 1565230(47.945%) packets 

Note the packets gathered without ring support ~3 million packets were 
gathered.

With ring support only ~800k were gathered.

TCPDUMP w/Ring buffer

dpgsnrt [ ~/download/tcpdump-2003.11.20 ]:time ./tcpdump -i eth1 -s 1500 
-w /dev/null -c 100000
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 
1500 bytes
100000 packets captured
107952 packets received by filter
7850 packets dropped by kernel

real    0m0.672s
user    0m0.080s
sys     0m0.580s


TCPDUMP without Ring buffer

dpgsnrt [ ~/download/libpcap-0.8.1104 ]:time tcpdump -i eth1 -s 1500 -w 
/dev/null -c 100000
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: listening on eth1
442501 packets received by filter
342471 packets dropped by kernel

real    0m2.893s
user    0m0.240s
sys     0m2.070s


Note the time differences. With ring support the time is extremely low. 
However, without ring buffer it took ~3 times as long.

What am I missing here. I have read a little bit about Ring buffer but I 
am far from understanding it completely. Is the modified libpcap not 
gathering all the packets I am getting and just silently overwriting its 
buffer?


Thank you for your time I know its long!

Scott




More information about the Snort-users mailing list