[Oisf-users] FW: Performance of pcap-log output
Jake Gionet
gionet.jake at gmail.com
Thu Oct 25 12:52:15 UTC 2012
On Wed, Oct 24, 2012 at 5:26 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
> A couple of questions.
>
> 1. What is the snaplen you are using for tcpdump?
> 2. What is max-pending-packets set to in suricata and what is your runmode?
>
Snaplen of zero for tcpdump. I was also mistaken about it handling it
with no issue, it just apparently didn't write any data to the pcap
that indicated that there were missing packets. It was still dropping
around 10% of the packets. I've had to switch to netsniff-ng and gulp
(currently testing both) before I lost less than 1%
max-pending-packets is currently set to 1024.
On Wed, Oct 24, 2012 at 5:21 PM, Victor Julien <lists at inliniac.net> wrote:
>
> The current implementation of the pcap recording is far from optimal. We
> just use a single dumper with a big lock to ensure thread safety.
>
> How much performance is possible with it I don't know, but I would
> recommend tuning suricata without the pcap logging first, then after you
> have it running properly try to enable it again.
>
> Cheers,
> Victor
>
That's disappointing, but along the lines of what I expected. When I
saw the packet capturing was an option I had hoped to be able to use
Suricata as an all-in-one monitoring appliance. Prior to that I had
planned on using other applications to capture the traffic anyways.
Thanks,
Jake
More information about the Oisf-users
mailing list