RE: high speed nids

From: Graham, Robert (ISS San Mateo) (
Date: 08/08/01

Message-ID: <B5DCF3BB695BD511864700306E1148BB29830D@MSGSMAT01>
From: "Graham, Robert (ISS San Mateo)" <>
To:, "'robert_david_graham'" <>
Subject: RE: high speed nids
Date: Wed, 8 Aug 2001 12:17:17 -0400 

>Really? In a previous post you said:
>> "I don't know of a single operating system that can sniff beyond 100,000
>>packets/second, and consequently, I don't know of any other NIDS that can
>>exceed 100,000 packets/second. In contrast, our system can handle 700,000
>Even though I think this is just bandying, I'll step up to the plate here.

>Currently, our "bottleneck" as you call it, is somewhere around 350,000 pps

This is where "I don't know" comes in. This is why we have discussions -- to
fill in where people are ignorant.

So far, Elliot has corrected me that his company is coming out with a
900,000 packets/second driver, and you have corrected me that the currently
shipping Dragon can do 350,000 packets/second.

>My background is hard science and I was taught to believe
>NOTHING and question EVERYTHING. Pure objective testing is the only thing
>that can present results that convey meaning.

My scientific background focused on "reproducable results". To fully
document the experiment:
1. we use SmartBits (though any traffic generator should be sufficient)
2. we use UDP packets sized correctly to fully saturate the wire (note
because of interframe gap, 100% saturation doesn't always equal 1-Gbps)
3. src and dst port set to zero (we are focussing on raw sniffing
performance, not NIDS analysis in this experiment).
4. we let it run for ten minutes
5. we measure the total count the IDS claims it saw and the SmartBits claims
it sent. These numbers should match exactly.
6. we report the level at which packets start be be missed (700,000 pps;
we'll go a lot higher, but not without dropping packets). In other words, if
one packet out of a billion is dropped, then the test fails (I know that
sounds impressive, but it isn't).

Multiple customers have reproduced this experiment.

Again, this test measures neither sexiness nor analysis speed, it just
measures sniffing bottlenecks. Note that since a lot of our customers are
running in the 500,000 packets/second range, there isn't much headroom for
this bottleneck. When they are under DDoS attack that fills the pipe, we
will be dropping packets, not because of analysis speed, but because of the
sniffing bottleneck.