RE: two sniffers on the same eth ifc performance impact?

From: Bryan Burns (bburns@onesecure.com)
Date: 03/27/02

• Previous message: o00o_j: "Re: two sniffers on the same eth ifc performance impact?"
• In reply to: o00o_j: "Re: two sniffers on the same eth ifc performance impact?"
• Next in thread: Anton Chuvakin: "Re: two sniffers on the same eth ifc performance impact?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Bryan Burns" <bburns@onesecure.com>
To: "o00o_j" <o00o_j@yahoo.com>, "Anton Chuvakin" <anton@chuvakin.org>, <focus-ids@securityfocus.com>
Date: Wed, 27 Mar 2002 11:28:52 -0800

If you think about the amount of processing time it takes to respond to the
NIC's interrupt and copy the packet up into user-space, you're much better
off sending the packet to 2 sniffers after it's in user-space then you are
with 2 NICs doing all that processing twice for the same packet. I have no
idea if libpcap is smart enough to handle multiple listeners for the same
packet though.

-Bryan

-----Original Message-----
From: o00o_j [mailto:o00o_j@yahoo.com]
Sent: Wednesday, March 27, 2002 7:08 AM
To: Anton Chuvakin; focus-ids@securityfocus.com
Subject: Re: two sniffers on the same eth ifc performance impact?

This may not be possible, and it's a very straightforward approach, but
what about throwing a second NIC on the host and connecting both NIC's
to a hub along with the uplink, that way you have two interfaces seeing
the same traffic and you can avoid the problem of packet drops at the
NIC... of course you could run into other performance problems, but
they wouldn't be at the NIC-level.

regards,
-j

--- Anton Chuvakin <anton@chuvakin.org> wrote:
> Hi all,
>
> Just a quick question - I was not able to find an answer anywhere,
> and my
> thinking process somehow doesn't lead me to an answer this time ;-)
>
> What is the performance impact of running two sniffers on the same
> eth0
> interface in UNIX/Linux. For example, for whatever weird reason I
> want to
> run two snorts or snort and tcpdump? Will it influence the packet
> drop
> rates? My problem is that I can test it in low traffic environment
> only
> and it will have to be deployed in high-traffic one ;-(
>
> Thanks a lot in advance!
>
> Best,
> --
> Anton A. Chuvakin, Ph.D.
> http://www.chuvakin.org
> http://www.info-secure.org
>
>

__________________________________________________
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards.
http://movies.yahoo.com/

---

• Previous message: o00o_j: "Re: two sniffers on the same eth ifc performance impact?"
• In reply to: o00o_j: "Re: two sniffers on the same eth ifc performance impact?"
• Next in thread: Anton Chuvakin: "Re: two sniffers on the same eth ifc performance impact?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: [PATCH 1/5] AF_RXRPC: Add blkcipher accessors for using kernel data directly [try #2] ... I was trying to avoid building a scatterlist completely. ... processing time, and has to be done on every secure packet. ... using hardware support would be a waste of time as ... (Linux-Kernel) Re: two sniffers on the same eth ifc performance impact? ... 64 megs of physical ram ... two sniffers on the same eth ifc performance impact? ... the entire packet if necessary. ... (Focus-IDS) Re: [PATCH] crypto: make michael_block a function ... the initial xor with ctx->l. ... Also open-code xswap in its one use in michael_block. ... Every packet. ... I have no idea whether it has performance impact, ... (Linux-Kernel) Re: [PATCH] crypto: make michael_block a function ... the initial xor with ctx->l. ... Also open-code xswap in its one use in michael_block. ... Every packet. ... I have no idea whether it has performance impact, ... (Linux-Kernel)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-03