01-21-2003 09:03 AM - edited 03-09-2019 01:46 AM
Can anyone give me an idea of the performance hit that would result in running snoop on the sensing interface of a Cisco IDS (4250) at the same time that the sensor is performing intrusion detection. I would like to run some snoop captures but am worried about the sensor dropping packets, CPU utilization etc.etc. I realize that this probably depends on the amount of traffic, but any help would be appreciated....
Regards, Jeff
01-21-2003 11:04 AM
I am sure there is an impact when snoop is used in conjunction with packetd.
If I had to venture a guess I would bet it is a fairly large impact.
You can test it's affect on the sensor yourself:
Enable the 993 Dropped Packet signature. This signature will fire every few seconds or so and tell you how many packets and what percentage of packets are being dropped by packetd.
During a busy time of day on your network you would want to start up your snoop command and then watch and see what 993 alarms are being generated.
They way you run snoop will also have an affect. Are you simply capturing to the screen, or are you capturing to a file. Are you using filters or are you trying to capture everything. Each of these will affect how much cpu and disk access the snoop command will be stealing from IDS.
Alternatives to snoop:
The packetd program itself has the ability to generate binary packet logs in a libpcap format that can be read by tcpdump, ethereal, and several other freeware tools for anlysis. These logs are referred to as "iplogs".
You can set up packetd to always log packets for a specific ip address/network. So if you have a specific ip address you need to look into, then you could use this feature to capture the packets of interest.
You can also setup packetd to automatically log the binary packets for the source address of a specific alarm for a configurable number of minutes.
But beware that iplogging (binary packet logging) can have a performance impact on the sensor. You will want to use it sparingly, and limit the time of the iplogging as much as possible. Once again you can use the 993 alarm to help determine the impact on performance.
So if you are needing to produce binary packet logs, then the iplogging feature in packetd may be better than snoop logging binary packets. But if you are only using snoop to capture to the screen then snoop may be better.
The only way to know is to test in your specific circumstances/environment.
01-21-2003 11:36 AM
Thanks for the quick reply - I'm aware of the option of using iplogging via packetd but I require more flexibility when capturing data (i.e. boolean operators). Also, I would be capturing to a file. It sounds like this would represent a significant load on the IDS sensor.
I think that setting up a seperate capture station using tcpdump is probably the solution.....
Regards, Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide