[Snort-users] Estimating Snort's speed in processing pcaps

Pratik Narang pratik.cse.bits at ...11827...
Thu May 28 07:39:44 EDT 2015


Dear Snort users,

I was recently feeding some pcaps to Snort, and trying to understand
how fast it does so. The results are bit surprising and I think I need
some help of the experts here...

So, I ran: sudo snort -c /etc/snort/snort.conf
--pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50
MB, totaling to 200 GB. These files were captured using dumpcap on my
University's backbone router, with payloads truncated to 150 bytes.
"capinfos" on one such file is given below:

capinfos trace_00001_20150502000001.pcap
File name:           trace_00001_20150502000001.pcap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 150 bytes
Packet size limit:   inferred: 150 bytes
Number of packets:   419649
File size:           51200110 bytes
Data size:           305514817 bytes
Capture duration:    21 seconds
Start time:          Sat May  2 00:00:01 2015
End time:            Sat May  2 00:00:22 2015
Data byte rate:      14640117.49 bytes/sec
Data bit rate:       117120939.92 bits/sec
Average packet size: 728.02 bytes
Average packet rate: 20109.37 packets/sec

What astounded me was that Snort took a little more than one hour to
go through all of the pcaps. That means more than one file every
second - which is amazing!!
What I wish to know here - is this processing speed of Snort "pretty
normal", or am I missing something here?
FWIW, I am running Snort on a server grade machine with 64GB of RAM
and 24 cores.

Cheers!




More information about the Snort-users mailing list