[Oisf-users] FW: Performance of pcap-log output

Martin Holste mcholste at gmail.com
Tue Oct 23 19:39:07 UTC 2012 

Jake,

That seems very low indeed, though I don't use Suricata for collecting pcap.

At anything less than a Gb/sec, the hard drive speeds will almost
certainly not be a factor.  HD's write and read at rates not seen on
normal networks during normal operation.  Modern SATA will
theoretically write at 6 GB/sec, which is 48 Gb/sec.  Until you're
pushing more than 1 Gb/sec, your bottleneck will be the pcap interface
at all times, even if you have very slow disk.

Do you get drops when you have disk writing turned off?

On Tue, Oct 23, 2012 at 2:27 PM, Peter Manev <petermanev at gmail.com> wrote:
> Hi,
>
> The speeds that you are achieving are very low, almost impossible :).
> Please have a look here (although it uses advanced techniques for your
> network card drivers and such, it will be helpful to set up your
> suricata.yaml):
> https://home.regit.org/2012/07/suricata-to-10gbps-and-beyond/
>
> What speeds are you looking at .. on your network interface?
> Which version of Suricata are you using?
>
> I am not sure about pcap-log throughput, but i am assuming it will be hugely
> dependent on your HDD speed as well.
>
> thanks
>
>
> On Tue, Oct 23, 2012 at 8:36 PM, Jake Gionet <gionet.jake at gmail.com> wrote:
>>
>> Sorry, forgot to include version information
>>
>> OS: Ubuntu 12.04.1
>> Suricata: 1.4beta2
>>
>>
>> > Hello all,
>> >
>> > I was hoping to get an idea of the performance limits of Suricata's
>> > pcap-log output format.
>> >
>> > I would really like to configure Suricata for both signature detection
>> > and packet capturing.  However, from the testing I've been able to do it
>> > appears to drop a significant amount of packets (more than it actually
>> > captured) at relatively low network speeds.  The traffic I'm currently
>> > testing with averages around 85 Mb/s and Suricata hasn't been able to keep
>> > up.  Even during timeframes of ~35 Mb/s it is not capturing most packets.
>> > It is bursty, but tcpdump has had no issue keeping up with the traffic.
>> >
>> > Has anybody been able to use Suricata as a packet capturing application
>> > at speeds greater than 100 Mb/s?
>> > Are there any configurations that would potentially improve performance
>> > of pcap-log output?
>> > What kind of speeds should I expect the pcap-log output to be able to
>> > keep up with?
>> >
>> >
>> > Thanks,
>> > Jake
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
>
>
> --
> Regards,
> Peter Manev
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>

More information about the Oisf-users mailing list