[Snort-users] IPtables QUEUE performance numbers from Ixia

Brad Doctor brad at ...13458...
Thu Aug 25 12:40:07 EDT 2005

Will Metcalf asked if anyone had done this sort of testing.

The server is a dual opteron 875 dual-core (2.2gHz, 1Mb L2), Tyan
S2895KWE (2 x16 full-speed PCIE).  Two SysKonnect PCI-E NICs, the
SK-9E22.  One RAID-0 disk subsystem (hdparm -t reports 105MB on
average), memory is crucial, whatever the max speed memory for this
thing is.

Kernel is and/or -- no differences in performance.

The software is Ixia ixChariot, the endpoints are very fast devices that
will sustain 980Mbps bridged through this box all day long with very
little variation.

So, some numbers:

IPtables QUEUE, full ruleset of about 2700 or so - no PCRE:

Avg: 273.299
Min: 270.270
Max: 275.862

IPtables QUEUE, zero ruleset of 0 rules:

Avg: 388.389
Min: 284.698
Max: 400.00

One other thing that is kind of not progressing any more due to the
NFQUEUE work being done for future kernels is the divert sockets for
linux (http://sourceforge.net/projects/ipdivert).  Some numbers from that:

DIVERT, full ruleset of about 2700 or so - no PCRE (same as above, in
fact same binary as above):

Avg: 312.940
Min: 162.602
Max: 331.95

DIVERT, no rules:

Avg: 414.910
Min: 139.130
Max: 484.849

Hope this helps - let me know if you have any questions or need more
information.  Happy to provide.

*Brad Doctor, CISSP**
Director, Security Research*

303-381-3807 Direct
303-381-3881 Fax

www.stillsecure.com <http://www.stillsecure.com>
/Reducing your risk has never been this easy/
. . .
/The information transmitted is intended only for the person
to whom it is addressed and may contain confidential material.
Review or other use of this information by persons other than
the intended recipient is prohibited. If you've received
this in error, please contact the sender and delete
from any computer. /

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050825/3a1f9b0d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050825/3a1f9b0d/attachment.sig>

More information about the Snort-users mailing list