[Oisf-users] FW: Performance of pcap-log output

Peter Manev petermanev at gmail.com
Tue Oct 23 19:27:37 UTC 2012


The speeds that you are achieving are very low, almost impossible :).
Please have a look here (although it uses advanced techniques for your
network card drivers and such, it will be helpful to set up your

What speeds are you looking at .. on your network interface?
Which version of Suricata are you using?

I am not sure about pcap-log throughput, but i am assuming it will be
hugely dependent on your HDD speed as well.


On Tue, Oct 23, 2012 at 8:36 PM, Jake Gionet <gionet.jake at gmail.com> wrote:

> Sorry, forgot to include version information
> OS: Ubuntu 12.04.1
> Suricata: 1.4beta2
> > Hello all,
> >
> > I was hoping to get an idea of the performance limits of Suricata's
> pcap-log output format.
> >
> > I would really like to configure Suricata for both signature detection
> and packet capturing.  However, from the testing I've been able to do it
> appears to drop a significant amount of packets (more than it actually
> captured) at relatively low network speeds.  The traffic I'm currently
> testing with averages around 85 Mb/s and Suricata hasn't been able to keep
> up.  Even during timeframes of ~35 Mb/s it is not capturing most packets.
>  It is bursty, but tcpdump has had no issue keeping up with the traffic.
> >
> > Has anybody been able to use Suricata as a packet capturing application
> at speeds greater than 100 Mb/s?
> > Are there any configurations that would potentially improve performance
> of pcap-log output?
> > What kind of speeds should I expect the pcap-log output to be able to
> keep up with?
> >
> >
> > Thanks,
> > Jake
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20121023/2cd0d259/attachment-0002.html>

More information about the Oisf-users mailing list