Re: [Sguil-users] cxtracker
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] cxtracker
|
From: Edward B. F. <edw...@re...> - 2009-10-22 09:06:47
|
Edward Bjarte Fjellskål wrote: > Hi, > > My initial test, shows me that cxtracker is 20-30% less CPU intensive > than sancp. The memory foot print is the same. 14:59 < nr> ebf0: you might try compiling against Phil Wood's memory mapped libpcap 15:00 < nr> ebf0: if one of the reasons for it is better performance, people that need performance may be using mmap libpcap 16:09 < nr> ebf0: i just know i have to set PCAP_FRAMES=0 (disable mmap) with sancp 16:09 < nr> so another option that performs better would definitely interest me So I did... For 5 minute run, on traffic ranging from 20-150 Mbit/s, pidstat output summary shows over 50% less CPU use: Average: PID %user %system %CPU CPU Command Average: 5450 1.98 8.97 10.95 - sancp Average: 5322 1.38 2.79 4.16 - cxtracker running cxtracker like: LD_LIBRARY_PATH=/tmp/test/ PCAP_FRAMES=9999 ./cxtracker -i eth1 -d /nsm_data/sensor/sancp -u nsm -g nsm -b 'vlan and ip' -D and sancp like: /usr/bin/sancp -d /nsm_data/sensor/sancp/ -c /etc/sguil-sensor/sancp.conf -u nsm -g nsm -i eth1 'vlan and ip' sancp.conf is default I have not played with mmap libpcap before, but with PCAP_FRAMES=9999, it seems to eat up about 624MB of memory... Im still playing with PCAP_FRAMES to see how this affects cxtracker. > I have some more thoughts before a 1.0 release, like chroot and chroot done > standardizing on a IPv6 notation in the output (right now it just > writes out the IPv6 in the "human readable format", but a decimal > notation I guess would be better in the future). Seems like im sticking with the default IPv6 ascii notation due to: http://oierud.name/~kjellm/bliki/IPv6AdressesAndMysql.html .. |