Re: two sniffers on the same eth ifc performance impact?

From: Patrick Andry (pandry@wolverinefreight.ca)
Date: 03/27/02


Date: Wed, 27 Mar 2002 14:06:17 -0500
From: Patrick Andry <pandry@wolverinefreight.ca>

What about just saving the tcpdump to file and piping output to snort.
That should take care of much of the problems associated with two
programs fighting for the same nic. IIRC, you can set tcpdump to grab
the entire packet if necessary. Just make sure you have fast disks and
loads of ram.

o00o_j wrote:

> This may not be possible, and it's a very straightforward approach, but
> what about throwing a second NIC on the host and connecting both NIC's
> to a hub along with the uplink, that way you have two interfaces seeing
> the same traffic and you can avoid the problem of packet drops at the
> NIC... of course you could run into other performance problems, but
> they wouldn't be at the NIC-level.
>
> regards,
> -j
>
> --- Anton Chuvakin <anton@chuvakin.org> wrote:
>
>>Hi all,
>>
>>Just a quick question - I was not able to find an answer anywhere,
>>and my
>>thinking process somehow doesn't lead me to an answer this time ;-)
>>
>>What is the performance impact of running two sniffers on the same
>>eth0
>>interface in UNIX/Linux. For example, for whatever weird reason I
>>want to
>>run two snorts or snort and tcpdump? Will it influence the packet
>>drop
>>rates? My problem is that I can test it in low traffic environment
>>only
>>and it will have to be deployed in high-traffic one ;-(
>>
>>Thanks a lot in advance!
>>
>>Best,
>>--
>> Anton A. Chuvakin, Ph.D.
>> http://www.chuvakin.org
>> http://www.info-secure.org
>>
>>
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Movies - coverage of the 74th Academy Awards®
> http://movies.yahoo.com/
>



Relevant Pages