RE: high speed nids

From: Turner, Elliot (eturner@intrusion.com)
Date: 08/08/01


Message-ID: <636A9B29EA94BC4194D844C27A3B1AAB016DE625@Mercury.intrusion.com>
From: "Turner, Elliot" <eturner@intrusion.com>
To: "'robert_david_graham'" <robert_david_graham@yahoo.com>, sstover@enterasys.com
Subject: RE: high speed nids
Date: Wed, 8 Aug 2001 11:12:04 -0500 

Comments below:

-----Original Message-----
>Cisco has published that their bottleneck is 200,000 packets/second, and
>Intrusion.com has published a paper showing a bottleneck at 70,000 (though
>Elliot says he has a new custom sniffing driver). ISS/NetICE has a

One note, this driver isn't new. We've been shipping it for over 4 months,
and beta customers have been using it for over 8 months.

>bottleneck at 700,000 packets/second. Samuel Stover is the Director of QA
>for Enterasys, maybe he can share with us what the Dragon sniffing
>bottleneck is? Just load up empty UDP or TCP port 0 packets in the
SmartBits
>and let it run.

The "bottleneck" that Robert is referring to (70,000 packets/sec) was in a
scenario that utilized 1514 byte Ethernet frames. That isn't a bottleneck.
That is almost full utilization of a Gigabit segment.

As I had mentioned previously, my custom driver is capable of a sustained
rate of 700,000+ packets/sec with 64 byte frames, with peak rates of over
900,000 packets/sec. However, if you throw large packets at the same
driver, you'll get smaller packets/sec numbers. This is because a smaller
number of packets can traverse a segment (because the packets are larger and
thus utilize more of the available bandwidth).

If someone can show me how to push more than 1 Gigabit/sec of traffic
through a Gigabit segment, I'd be impressed.

If NetworkICE can push more than 1 Gigabit/sec of large frames into their
custom driver, I'd be equally impressed.

I'm sure if I put the NetworkICE product in a lab and shot large frames at
it, it would probably top out at around 70,000 packets/sec. This is a
limitation of Gigabit Ethernet, not the NetworkICE product. If I made a
comparison using those figures to my own product (SecureNet Pro) where I
performed a test utilizing small frames (64 byte packets), it would appear
as if my product was much faster. This is very misleading.

Let's try to be more fair in our comparisons please.

Regards,

Elliot



Relevant Pages