[Snort-users] Snort's Processing Rate
mkettler at ...4108...
Tue Apr 13 14:36:09 EDT 2004
At 01:53 PM 4/13/2004, Sherif Yusuf wrote:
>I hust need to know the maximum (maybe published, doesnt have to be)
>packet processing rate while using Snort. If I could get a reference to
>where this number is stated that would be great.
I don't think there is any single maximum packet processing rate. But for
starters, the sourcefire NS3000 (a VERY highly tuned snort sensor with lots
of add-on utilities, but still runs the same snort code at it's core) is
rated for wire-speed gigabit ethernet with 0% loss.
Of course, I assume that spec is based on full-sized ethernet frames. I'd
be surprised (and impressed!) if they could keep up with gigabit ethernet
saturated with 64byte packets (even most gigabit firewalls can't keep up
with tiny packets at wire-speed). However, such a network load is highly
I don't know of any efforts offhand to make snort run on 10gb/sec ethernet.
Aside from "interface wire rate" as a hard maximum, Snort's maximum
processing rate is going to be a function of all of these variables (and
probably some I missed):
CPU speed and architecture
IO bus architecture to network interface
IO bus architecture to system RAM
Available RAM (ie: are you paging? how much is used for disk
variety of PCAP interface
OS kernel (vm, scheduler, etc)
system performance tuning
rate of alert
IO speed to logging mechanism
More information about the Snort-users