[Snort-users] Estimating Snort's speed in processing pcaps

Pablo Cantos Polaino pcantos at ...16842...
Fri May 29 09:01:37 EDT 2015


Hi Patrik,

Look at these numbers:

Breakdown by protocol (includes rebuilt packets):
        Eth:   1692541722 (100.000%)
        ...
All Discard:    852578532 ( 50.373%)

dcerpc2 Preprocessor Statistics
  Total sessions: 4040
  Total sessions autodetected: 4040
  Total sessions aborted: 3840
  Bad autodetects: 455

They seems stranges to me. Maybe if you try some pcapts separately and
check if this is a general behavior in some pcaps.

Best Regards,


Pablo Cantos
redborder.org / pcantos at ...16842...

2015-05-29 12:33 GMT+02:00 Pratik Narang <pratik.cse.bits at ...11827...>:

> Thanks YM for the inputs. I had missed enabling pre-processor rules
> from the conf file. I did a re-run of Snort. My output plug-in is u2.
>
> Pablo: A txt file is attacched with Snort's output.
>
> Regards,
> Pratik
>
>
> On Thu, May 28, 2015 at 7:47 PM, Pablo Cantos Polaino
> <pcantos at ...16842...> wrote:
> > Hi Patrik,
> >
> > Could you please paste here the Snort output?
> >
> > Best Regards,
> >
> > Pablo Cantos
> > redborder.org / pcantos at ...16842...
> >
> > 2015-05-28 15:00 GMT+02:00 Y M <snort at ...15979...>:
> >>
> >> Hi Patrik,
> >>
> >> Things to consider also:
> >>
> >> 1. The number of preprocessors enabled (HTTP, SMTP, etc.).
> >> 2. The configuration of each preporcessor. For example,
> server_flow_depth
> >> and client_flow_depth in http_inspect.
> >> 3. The number of rules enabled AND included in your snort.conf.
> >> 4. The output plugin used (unified2, full text, log_dump, console).
> >> 5. How your HOME_NET and EXTERNAL_NET are configured.
> >>
> >> All of these may have an impact on how Snot may perform at least when
> >> doing live detection.
> >> YM
> >>
> >> > Date: Thu, 28 May 2015 17:09:44 +0530
> >> > From: pratik.cse.bits at ...11827...
> >> > To: snort-users at lists.sourceforge.net
> >> > Subject: [Snort-users] Estimating Snort's speed in processing pcaps
> >>
> >> >
> >> > Dear Snort users,
> >> >
> >> > I was recently feeding some pcaps to Snort, and trying to understand
> >> > how fast it does so. The results are bit surprising and I think I need
> >> > some help of the experts here...
> >> >
> >> > So, I ran: sudo snort -c /etc/snort/snort.conf
> >> > --pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50
> >> > MB, totaling to 200 GB. These files were captured using dumpcap on my
> >> > University's backbone router, with payloads truncated to 150 bytes.
> >> > "capinfos" on one such file is given below:
> >> >
> >> > capinfos trace_00001_20150502000001.pcap
> >> > File name: trace_00001_20150502000001.pcap
> >> > File type: Wireshark/tcpdump/... - libpcap
> >> > File encapsulation: Ethernet
> >> > Packet size limit: file hdr: 150 bytes
> >> > Packet size limit: inferred: 150 bytes
> >> > Number of packets: 419649
> >> > File size: 51200110 bytes
> >> > Data size: 305514817 bytes
> >> > Capture duration: 21 seconds
> >> > Start time: Sat May 2 00:00:01 2015
> >> > End time: Sat May 2 00:00:22 2015
> >> > Data byte rate: 14640117.49 bytes/sec
> >> > Data bit rate: 117120939.92 bits/sec
> >> > Average packet size: 728.02 bytes
> >> > Average packet rate: 20109.37 packets/sec
> >> >
> >> > What astounded me was that Snort took a little more than one hour to
> >> > go through all of the pcaps. That means more than one file every
> >> > second - which is amazing!!
> >> > What I wish to know here - is this processing speed of Snort "pretty
> >> > normal", or am I missing something here?
> >> > FWIW, I am running Snort on a server grade machine with 64GB of RAM
> >> > and 24 cores.
> >> >
> >> > Cheers!
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >> >
> >> > Please visit http://blog.snort.org to stay current on all the latest
> >> > Snort news!
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> Snort
> >> news!
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150529/02eb267e/attachment.html>


More information about the Snort-users mailing list