[Snort-users] Estimating Snort's speed in processing pcaps

Y M snort at ...15979...
Thu May 28 09:00:58 EDT 2015


Hi Patrik,

Things to consider also:

1. The number of preprocessors enabled (HTTP, SMTP, etc.).
2. The configuration of each preporcessor. For example, server_flow_depth and client_flow_depth in http_inspect.
3. The number of rules enabled AND included in your snort.conf.
4. The output plugin used (unified2, full text, log_dump, console).
5. How your HOME_NET and EXTERNAL_NET are configured. 

All of these may have an impact on how Snot may perform at least when doing live detection.
YM

> Date: Thu, 28 May 2015 17:09:44 +0530
> From: pratik.cse.bits at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Estimating Snort's speed in processing pcaps
> 
> Dear Snort users,
> 
> I was recently feeding some pcaps to Snort, and trying to understand
> how fast it does so. The results are bit surprising and I think I need
> some help of the experts here...
> 
> So, I ran: sudo snort -c /etc/snort/snort.conf
> --pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50
> MB, totaling to 200 GB. These files were captured using dumpcap on my
> University's backbone router, with payloads truncated to 150 bytes.
> "capinfos" on one such file is given below:
> 
> capinfos trace_00001_20150502000001.pcap
> File name:           trace_00001_20150502000001.pcap
> File type:           Wireshark/tcpdump/... - libpcap
> File encapsulation:  Ethernet
> Packet size limit:   file hdr: 150 bytes
> Packet size limit:   inferred: 150 bytes
> Number of packets:   419649
> File size:           51200110 bytes
> Data size:           305514817 bytes
> Capture duration:    21 seconds
> Start time:          Sat May  2 00:00:01 2015
> End time:            Sat May  2 00:00:22 2015
> Data byte rate:      14640117.49 bytes/sec
> Data bit rate:       117120939.92 bits/sec
> Average packet size: 728.02 bytes
> Average packet rate: 20109.37 packets/sec
> 
> What astounded me was that Snort took a little more than one hour to
> go through all of the pcaps. That means more than one file every
> second - which is amazing!!
> What I wish to know here - is this processing speed of Snort "pretty
> normal", or am I missing something here?
> FWIW, I am running Snort on a server grade machine with 64GB of RAM
> and 24 cores.
> 
> Cheers!
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150528/b8acd9f4/attachment.html>


More information about the Snort-users mailing list