RE: two sniffers on the same eth ifc performance impact?

From: Alexander Poizner (APoizner@hipinteractive.com)
Date: 03/25/02 

From: Alexander Poizner <APoizner@hipinteractive.com>
To: 'Anton Chuvakin' <anton@chuvakin.org>, focus-ids@securityfocus.com
Date: Mon, 25 Mar 2002 13:26:12 -0500

Hi Anton,

In my opinion, the main bottleneck should be messaging between device driver
process and the sniffers running, assuming that sniffers do receive messages
directly from the device driver. Both of the sniffers are now getting the
messages (with Ethernet frames) from the device driver. At this point it
depends in many cases on the OS and messaging handling, however I am sure
that on high traffic network you will get fair percentage in performance
reduction.

Also both sniffers are maintaining fast growing DB of frames and are
performing statistical analysis as well as decoding operations on the
packets. This will also greatly affect the performance.

Just out of curiosity, what do you need two sniffers running on the same
interface for?

Regards,

Alexander Poizner
Systems Security Engineer
HIP Interactive Corp.
(416) 249-7555 x206

-----Original Message-----
From: Anton Chuvakin [mailto:anton@chuvakin.org]
Sent: Friday, March 22, 2002 10:58
To: focus-ids@securityfocus.com
Subject: two sniffers on the same eth ifc performance impact?
Importance: High

Hi all,

Just a quick question - I was not able to find an answer anywhere, and my
thinking process somehow doesn't lead me to an answer this time ;-)

What is the performance impact of running two sniffers on the same eth0
interface in UNIX/Linux. For example, for whatever weird reason I want to
run two snorts or snort and tcpdump? Will it influence the packet drop
rates? My problem is that I can test it in low traffic environment only
and it will have to be deployed in high-traffic one ;-(

Thanks a lot in advance!

Best, 

-- 
     Anton A. Chuvakin, Ph.D.
     http://www.chuvakin.org
   http://www.info-secure.org