[Oisf-users] FW: Performance of pcap-log output
Jake Gionet
gionet.jake at gmail.com
Tue Oct 23 18:36:46 UTC 2012
Sorry, forgot to include version information
OS: Ubuntu 12.04.1
Suricata: 1.4beta2
> Hello all,
>
> I was hoping to get an idea of the performance limits of Suricata's pcap-log output format.
>
> I would really like to configure Suricata for both signature detection and packet capturing. However, from the testing I've been able to do it appears to drop a significant amount of packets (more than it actually captured) at relatively low network speeds. The traffic I'm currently testing with averages around 85 Mb/s and Suricata hasn't been able to keep up. Even during timeframes of ~35 Mb/s it is not capturing most packets. It is bursty, but tcpdump has had no issue keeping up with the traffic.
>
> Has anybody been able to use Suricata as a packet capturing application at speeds greater than 100 Mb/s?
> Are there any configurations that would potentially improve performance of pcap-log output?
> What kind of speeds should I expect the pcap-log output to be able to keep up with?
>
>
> Thanks,
> Jake
More information about the Oisf-users
mailing list