Re: two sniffers on the same eth ifc performance impact?
From: James_T_Matthews@RAYTHEON.COMDate: 03/27/02
- Previous message: Anton A. Chuvakin: "Re: two sniffers on the same eth ifc performance impact?"
- Maybe in reply to: Anton Chuvakin: "two sniffers on the same eth ifc performance impact?"
- Next in thread: Rick Farina: "Re: two sniffers on the same eth ifc performance impact?"
- Reply: Rick Farina: "Re: two sniffers on the same eth ifc performance impact?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: James_T_Matthews@RAYTHEON.COM To: Patrick Andry <pandry@wolverinefreight.ca> Date: Wed, 27 Mar 2002 15:29:03 -0500
Snort also has the capability to save tcpdump files on the fly.
Patrick Andry <pandry@wolverinefreight.ca> on 03/27/2002 02:06:17 PM
To:
cc: focus-ids@securityfocus.com(bcc: James T
Matthews/STP/Raytheon/US)
Subject: Re: two sniffers on the same eth ifc performance
impact?
What about just saving the tcpdump to file and piping output to snort.
That should take care of much of the problems associated with two
programs fighting for the same nic. IIRC, you can set tcpdump to grab
the entire packet if necessary. Just make sure you have fast disks and
loads of ram.
o00o_j wrote:
> This may not be possible, and it's a very straightforward approach, but
> what about throwing a second NIC on the host and connecting both NIC's
> to a hub along with the uplink, that way you have two interfaces seeing
> the same traffic and you can avoid the problem of packet drops at the
> NIC... of course you could run into other performance problems, but
> they wouldn't be at the NIC-level.
>
> regards,
> -j
>
> --- Anton Chuvakin <anton@chuvakin.org> wrote:
>
>>Hi all,
>>
>>Just a quick question - I was not able to find an answer anywhere,
>>and my
>>thinking process somehow doesn't lead me to an answer this time ;-)
>>
>>What is the performance impact of running two sniffers on the same
>>eth0
>>interface in UNIX/Linux. For example, for whatever weird reason I
>>want to
>>run two snorts or snort and tcpdump? Will it influence the packet
>>drop
>>rates? My problem is that I can test it in low traffic environment
>>only
>>and it will have to be deployed in high-traffic one ;-(
>>
>>Thanks a lot in advance!
>>
>>Best,
>>--
>> Anton A. Chuvakin, Ph.D.
>> http://www.chuvakin.org
>> http://www.info-secure.org
>>
>>
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Movies - coverage of the 74th Academy Awards
®
> http://movies.yahoo.com/
>
- Previous message: Anton A. Chuvakin: "Re: two sniffers on the same eth ifc performance impact?"
- Maybe in reply to: Anton Chuvakin: "two sniffers on the same eth ifc performance impact?"
- Next in thread: Rick Farina: "Re: two sniffers on the same eth ifc performance impact?"
- Reply: Rick Farina: "Re: two sniffers on the same eth ifc performance impact?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
