Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort sniffing (snorfing?)

From: "Wedge Breaker" <wedgebreaker () crackdealer com>
Date: Thu, 23 Aug 2001 08:26:18 -0700
a much higher rate of traffic.  The 'sniff' process only reads the data from
the wire, then drops it to disk.  No decoding done, no output--other than disk
i/o.  The slow part is the -v option which prints it out to the stdout.


Just to clarify - you are saying that the background processing that is performed when using the -v option (even to 
/dev/null) is more overhead than writing to disk?  This is pretty much the question I was asking, I guess I didn't ask 
it very well the first time.


Lots!  But I'm not sure if they are useful here. :)  What are you really
trying to achive?  If it's seeing the saturation point at which snort will
start to lose packets, then you should log to binary, and post process.  If
it's now fast it will print to screen and drop packets then use the -v switch.


I'm trying to find the saturation point - I don't really care about printing to the screen (hence /dev/null).  Think of 
using tcpdump in streamlined fashion - you want a "high water mark" of how fast can it sniff.  For tcpdump, I do 
something like tcpdump -i eth0 > /dev/null because it can capture more packets that way than any other.  Once you have 
a the theoretical maximum, you then have the baseline needed to determine what kind of traffic causes what kind of 
performance hit.  You can always go back to your baseline.  I was trying the same thing with snort, but it (snort) 
functions a bit differently than tcpdump.

This little effort of mine was prompted by the long-winded, blowhard, vendor bashing stint that took place on focus-ids 
a while back.  Those yo-yos got me thinking (vendors are good for something I guess ;) and I figured I'd see what snort 
could do.  Just trying to establish my baseline i.e. best possible packet capture performance.

Thanks!

wb



------------------------------------------------------------
[- Get your own free e-mail @ http://www.crackdealer.com -]

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: