[Snort-users] 2.1.3rc1 Performance

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Wed May 19 09:32:11 EDT 2004

FWIW, I've tested 2.1.3 (latest from cvs) on a link pushing about 40k
packets per second (400Mbps).   No dropped packets.   Machine is a
@$2500 machine with built in gig interfaces. 

-----Original Message-----
From: Dirk Geschke [mailto:Dirk_Geschke at ...1344...] 
Sent: Wednesday, May 19, 2004 10:12 AM
To: Gary_Portnoy at ...11307...
Cc: Dirk Geschke; snort-users at lists.sourceforge.net;
Dirk_Geschke at ...1344...
Subject: Re: [Snort-users] 2.1.3rc1 Performance 

Hi Gary,

> The rules were the same, i just changed the link to the snort binary,
> that's not it. 

that's good. 

> Did pcre get rewritten, because it's been supported for a while now???

I am not sure, but I fear it is a performance penalty to use regular
expressions to match against a network packet.

> As for the libpcap question, i'll try to find out, because someone
> compiled the 2.1.1 binary on a different machine.  But the 2.1.3rc1
that I 
> compiled, libpcap is the most recent version 0.8.3.  In fact, i can
> quarantee that it was a different version since 0.8.3 was released on 
> March 30 and I've had the 2.1.1 binary since before then.  But
> the newer version of libpcap be faster and more efficient?

Yes and no. But sometimes newer releases introduces newer bugs/problems.
(So maybe this counts for snort too.)

It also depends on your operating system. If you use linux then you
use the ring buffere libpcap version of Phil Wood at 


With older libpcap versions on linux I have seen some strange
of statistics and especially the RedHat version used a complete
kind how statistics are counted.

Maybe you should recompile the old snort version with the actual libpcap
and try this version again to have a "real" comparison?

Best regards


This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list