[Oisf-users] FW: Performance of pcap-log output

[Will Metcalf]

If you are dropping packets with tcpdump you probably want to look at
using PF_RING, PF_RING enabled libpcap, AF_PACKET and/or get better
HW.  I bet you will see similar performance using suricata with no
rules loaded.

Regards,

Will

On Thu, Oct 25, 2012 at 7:52 AM, Jake Gionet <gionet.jake at gmail.com> wrote:
> On Wed, Oct 24, 2012 at 5:26 PM, Will Metcalf <william.metcalf at gmail.com> wrote:
>> A couple of questions.
>>
>> 1. What is the snaplen you are using for tcpdump?
>> 2. What is max-pending-packets set to in suricata and what is your runmode?
>>
>
> Snaplen of zero for tcpdump.  I was also mistaken about it handling it
> with no issue, it just apparently didn't write any data to the pcap
> that indicated that there were missing packets.  It was still dropping
> around 10% of the packets.  I've had to switch to netsniff-ng and gulp
> (currently testing both) before I lost less than 1%
>
> max-pending-packets is currently set to 1024.
>
>
> On Wed, Oct 24, 2012 at 5:21 PM, Victor Julien <lists at inliniac.net> wrote:
>>
>> The current implementation of the pcap recording is far from optimal. We
>> just use a single dumper with a big lock to ensure thread safety.
>>
>> How much performance is possible with it I don't know, but I would
>> recommend tuning suricata without the pcap logging first, then after you
>> have it running properly try to enable it again.
>>
>> Cheers,
>> Victor
>>
>
> That's disappointing, but along the lines of what I expected.  When I
> saw the packet capturing was an option I had hoped to be able to use
> Suricata as an all-in-one monitoring appliance.  Prior to that I had
> planned on using other applications to capture the traffic anyways.
>
>
> Thanks,
> Jake
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users