[Snort-users] Estimating Snort's speed in processing pcaps

Pablo Cantos Polaino pcantos at ...16842...
Thu May 28 10:17:00 EDT 2015


Hi Patrik,

Could you please paste here the Snort output?

Best Regards,

Pablo Cantos
redborder.org / pcantos at ...16842...

2015-05-28 15:00 GMT+02:00 Y M <snort at ...15979...>:

> Hi Patrik,
>
> Things to consider also:
>
> 1. The number of preprocessors enabled (HTTP, SMTP, etc.).
> 2. The configuration of each preporcessor. For example, server_flow_depth
> and client_flow_depth in http_inspect.
> 3. The number of rules enabled AND included in your snort.conf.
> 4. The output plugin used (unified2, full text, log_dump, console).
> 5. How your HOME_NET and EXTERNAL_NET are configured.
>
> All of these may have an impact on how Snot may perform at least when
> doing live detection.
> YM
>
> > Date: Thu, 28 May 2015 17:09:44 +0530
> > From: pratik.cse.bits at ...11827...
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Estimating Snort's speed in processing pcaps
>
> >
> > Dear Snort users,
> >
> > I was recently feeding some pcaps to Snort, and trying to understand
> > how fast it does so. The results are bit surprising and I think I need
> > some help of the experts here...
> >
> > So, I ran: sudo snort -c /etc/snort/snort.conf
> > --pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50
> > MB, totaling to 200 GB. These files were captured using dumpcap on my
> > University's backbone router, with payloads truncated to 150 bytes.
> > "capinfos" on one such file is given below:
> >
> > capinfos trace_00001_20150502000001.pcap
> > File name: trace_00001_20150502000001.pcap
> > File type: Wireshark/tcpdump/... - libpcap
> > File encapsulation: Ethernet
> > Packet size limit: file hdr: 150 bytes
> > Packet size limit: inferred: 150 bytes
> > Number of packets: 419649
> > File size: 51200110 bytes
> > Data size: 305514817 bytes
> > Capture duration: 21 seconds
> > Start time: Sat May 2 00:00:01 2015
> > End time: Sat May 2 00:00:22 2015
> > Data byte rate: 14640117.49 bytes/sec
> > Data bit rate: 117120939.92 bits/sec
> > Average packet size: 728.02 bytes
> > Average packet rate: 20109.37 packets/sec
> >
> > What astounded me was that Snort took a little more than one hour to
> > go through all of the pcaps. That means more than one file every
> > second - which is amazing!!
> > What I wish to know here - is this processing speed of Snort "pretty
> > normal", or am I missing something here?
> > FWIW, I am running Snort on a server grade machine with 64GB of RAM
> > and 24 cores.
> >
> > Cheers!
> >
> >
> ------------------------------------------------------------------------------
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150528/6f5819d7/attachment.html>


More information about the Snort-users mailing list