[Oisf-users] Fast replay of pcap files
Dave Remien
dave.remien at gmail.com
Fri Jul 15 01:50:04 UTC 2011
On Thu, Jul 14, 2011 at 7:14 PM, Gene Albin <gene.albin at gmail.com> wrote:
> Hi all,
> I'm experimenting with replaying various pcap files in Suricata. It
> appears that the pcap files are replaying at the same speed they were
> recorded. I'd like to be able to replay them faster so that 1) I can stress
> the detection engine, and 2) expedite post-event analysis.
>
> One way to accomplish this is by using tcpreplay -t, but when running on
> the same machine that takes lots of cycles away from Suricata and sends the
> recorded pcap traffic onto an interface that already has live traffic.
>
> Is there some other way to replay captured traffic through Suricata at an
> accelerated speed?
>
Hmm - I've done pretty extensive replay of pcaps with Suricata. I have a
750GB pcap that was recorded over a 9 hour time range, and takes about 3.5
hours to be replayed through Suricata. The alerts generated show the pcap
time (i.e., over the 9 hour range). The machine replaying the pcap is a 16
core box with a RAID array.
Is it possible that you're I/O limited?
So... I guess I'd ask about your configuration - # of CPUs, disk speeds,
proc types, rule set, suricata.yaml?
Cheers,
Dave
> --
> Gene Albin
> gene.albin at gmail.com
> gene_albin at bigfoot.com
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
--
"Of course, someone who knows more about this will correct me if I'm
wrong, and someone who knows less will correct me if I'm right."
David Palmer (palmer at tybalt.caltech.edu)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110714/c712a38e/attachment-0002.html>
More information about the Oisf-users
mailing list