[Oisf-users] Performance of pcap-log output

[Jake Gionet]

Hello all,

I was hoping to get an idea of the performance limits of Suricata’s
pcap-log output format.

I would really like to configure Suricata for both signature detection
and packet capturing.  However, from the testing I’ve been able to do
it appears to drop a significant amount of packets (more than it
actually captured) at relatively low network speeds.  The traffic I’m
currently testing with averages around 85 Mb/s and Suricata hasn’t
been able to keep up.  Even during timeframes of ~35 Mb/s it is not
capturing most packets.  It is bursty, but tcpdump has had no issue
keeping up with the traffic.

Has anybody been able to use Suricata as a packet capturing
application at speeds greater than 100 Mb/s?
Are there any configurations that would potentially improve
performance of pcap-log output?
What kind of speeds should I expect the pcap-log output to be able to
keep up with?


Thanks,
Jake