Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] mmapped libpcap statistics

from [Joe Patterson] Network Security [Permanent Link]
Subject: [Snort-users] mmapped libpcap statistics
Date: Thu, 30 Dec 2004 17:17:49 -0500 
I've been playing around with Phil Wood's mmap'ed libpcap, and before I
started doing any snort benchmarking with it I thought I'd do some tcpdump
benchmarking with it.  The results seem a bit odd to me, and I'm wondering
how trustworthy the statistics it's generating are.

FYI, I'm running linux 2.6.5, compiled with CONFIG_PACKET=y and
CONFIG_PACKET_MMAP=y, using Phil Wood's libpcap (libpcap-1.0.20041001) and
tcpdump version 3.8.3 on an Intel Corp. 82547EI Gigabit Ethernet Controller
connected back-to-back with another machine.  The machine is a single
processor hyperthreaded PentiumIV 2.8GHz with 2GB ram. I'm generating
high-data-rate traffic by doing a netcat-to-netcat copy (actually
bash-to-netcat) of an approximately one gigabyte file from one machine to
the other, while running tcpdump with the following variables:

PCAP_STATS=0x21fff PCAP_VERBOSE=1 PCAP_FRAMES=max PCAP_PERIOD=1000

and a command line of:

tcpdump -nl -i eth0 -s 1550 -w /dev/null

The statistics show that it's dropping a lot of packets.  But I'm starting
to have some misgivings about the statistics.  For instance, one period
shows:
S:1104424579 105432 124051 229376 0 229340 245289582 112388288 86 14612
52256 1 1 0
The numbers that disturb me here (besides the 124K dropped packets) are the
fact that the bytes seen by the device are 245289582, or 1,962,316,656 bits
in one second.  Although the link *is* full duplex, the only traffic going
out *should* be acks, and probably not too many of those.  I doubt that I'm
actually getting 1.8 gigabits/sec throughput on a single gigabit ethernet
adaptor.

What are the chances that I'm overrunning a counter somewhere, and those
statistics really aren't acurate?

BTW, if you're interested, the full output of the dump is:
# PCAP_STATS=0x21fff PCAP_VERBOSE=1 PCAP_FRAMES=max PCAP_PERIOD=1000
tcpdump -nl -i eth0 -s 1550 -w /dev/null
libpcap version: 1.0
Kernel filter, Protocol 0300, MMAP mode (32760 frames, snapshot 1550),
socket type: Raw
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1550
bytes
S:1104424560.546902 5 0 6 0 6 612 490 3 5 2 0 000000001.999415 0
S:1104424563.546088 6 0 6 0 6 612 588 4 11 2 1 000000002.000414 0
S:1104424567.547916 8 0 8 0 8 816 784 6 19 2 1 000000001.999415 0
S:1104424573.563900 95735 36458 157913 0 157939 169099026 103808790 6103
30234 34023 1 000000001.000021 0
S:1104424574.563921 83591 0 57996 0 57997 60128382 86743150 0 15545 83591 0
000000001.000011 0
S:1104424575.568316 120302 0 124601 0 124614 129166068 124217412 797 4807
95722 1 000000001.000035 0
S:1104424576.568351 118027 0 141841 0 141825 147048574 121900342 0 24554
118027 0 000000001.000013 0
S:1104424577.568364 113946 2508 120859 0 120874 125489772 117706956 0 7460
113946 0 000000001.000018 0
S:1104424579.006888 105432 124051 229376 0 229340 245289582 112388288 86
14612 52256 1 000000001.000000 0
S:1104424580.006888 29618 0 5654 0 5665 6092528 31727884 0 11470 29618 0
000000001.000632 0
S:1104424581.184533 92437 0 83867 0 83904 91238226 100061026 3802 5627 30830
1 000000001.000000 0
S:1104424582.184533 93410 14956 109340 0 109289 115767926 98966684 6475 757
41597 0 000000001.000428 0
853494 packets captured
1031467 packets received by filter
177973 packets dropped by kernel
S:0.184961 977 0 0 0 0 0 1051546 8 1734 977 0 000000000.3807635573 0

Or is this just what I'm getting?

-Joe Patterson, CCNP, CISSP
Senior Security Engineer
SteelCloud, Inc.
(954)318-3200x105
jpatterson@asgardgroup.com





-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] mmapped libpcap statistics, Joe Patterson <=
Previous by Date:  [Snort-users] ClamAV patch against 2.3.0RC2, Will Metcalf
Next by Date:  [Snort-users] problems about install snort-2.3 wiht mysql-5.0, defa yin
Previous by Thread:  [Snort-users] ClamAV patch against 2.3.0RC2, Will Metcalf
Next by Thread:  [Snort-users] problems about install snort-2.3 wiht mysql-5.0, defa yin
Indexes:  [Date] [Thread] [Top] [All Lists]