Skip to content
Newer
Older
100644 71 lines (60 sloc) 3.48 KB
50c2bec @mrash Added the BENCHMARK file
authored
1 Kmsgsd Benchmarks:
2
3 The basic strategy in benchmarking kmsgsd is to get syslogd to write kern.info
303b03b @mrash finished removing ipchains stuff
authored
4 messages (which include iptables log messages) to the
db103f0 @mrash fixed psadfifo path to LIBDIR
authored
5 /var/lib/psad/psadfifo named pipe. Kmsgsd will then read the messages out of the
8f52106 @mrash Added the psad.8 man page, made Getopt case sensistive, better docume…
authored
6 pipe as quickly as possible and write them to /var/log/psad/fwdata. To
7 calculate how fast kmsgsd is we then compare the number of newly written
8 firewall messages to /var/log/messages with the number of messages kmsgsd was
9 able to write to /var/log/psad/fwdata in the same time frame. To generate lots
10 of firewall "deny" messages we first make sure we have the firewall "default
11 log and deny" policy loaded, and then proceed to scan the firewall first from a
12 machine that is linked via a 100MB ethernet segment connected directly to the
13 firewall with a crossover cable, and second with a scan against the loopback
14 address from the firewall itself. The second scan will eliminate any network
15 latency from slowing the scan down.
50c2bec @mrash Added the BENCHMARK file
authored
16
17 TEST 1:
18 - Scanning machine: PIII 700mhz, kernel 2.2.18
19 - Target machine: PIII 700mhz, kernel 2.4.0
20 - Ethernet: 100MB connection between the two machines.
21 - Perl: 5.005_03
22 - Scan command line: nmap -sX -p 5000-60000 <target_machine>
303b03b @mrash finished removing ipchains stuff
authored
23 - Approximate average number of iptables "DROP" messages printed to
50c2bec @mrash Added the BENCHMARK file
authored
24 /var/log/messages: 4400
25 - Approximate average number of iptables messages caught by kmsgsd and
26 printed to /var/log/psad/fwdata: 4325
27
28 Results: kmsgsd catches over 98% of all firewall messages that are
29 written by klogd to /var/log/messages. The remaining two percent that
30 are missed is probably due to context switching overhead and/or slowness
31 of Perl itself, and not much can be done about that (except re-writing it
32 in C of course).
33
34 TEST 2:
35 - We scan the loopback interface on the firewall.
36 - PIII 500mhz, 128 MB ram, kernel 2.4.0
37 - Perl 5.005_03
38 - Scan command line: nmap -sX -p 5000-60000 127.0.0.1
303b03b @mrash finished removing ipchains stuff
authored
39 - Number of iptables "DROP" messages printed to /var/log/messages: 14810
50c2bec @mrash Added the BENCHMARK file
authored
40 - Number of iptables messages caught by kmsgsd and written to
41 /var/log/psad/fwdata: 14847
42
43 Results: These results are a bit surprising since kmsgsd caught more
44 messages in /var/log/psad/fwdata than syslog could write to
45 /var/log/messages, but perhaps syslog can write more quickly to a named pipe
db103f0 @mrash fixed psadfifo path to LIBDIR
authored
46 (in this case to /var/lib/psad/psadfifo) than it can to a file (/var/log/messages)
50c2bec @mrash Added the BENCHMARK file
authored
47 since probably would not have seek() to the end of the file to know where to
48 write each message. Hence it would appear that kmsgsd can keep up with just
49 about anything thrown at it (for home users anyway). During this test kmsgsd
50 had a maximum CPU utilization of 5.6% and a maximum memory utilization of
51 0.8%
52
8f52106 @mrash Added the psad.8 man page, made Getopt case sensistive, better docume…
authored
53 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
50c2bec @mrash Added the BENCHMARK file
authored
54 Psad Benchmarks:
55
8f52106 @mrash Added the psad.8 man page, made Getopt case sensistive, better docume…
authored
56 To benchmark psad we need to generate lots of messages in the fwdata file.
57 Normally this is the responsibility of kmsgsd, but to perform an effective test
58 of just how fast psad is able to parse lots of firewall "deny" messages, we
59 first create a large file that contains 10,000 lines of the firewall messages,
60 then we execute "cat /dev/null > /var/log/psad/fwdata", and lastly we copy the
61 large file to /var/log/psad/fwdata. Psad then detects that 10,000 packets were
33c7c51 @mrash updated to logged word
authored
62 just logged by the firewall and starts to process the lines one by one.
50c2bec @mrash Added the BENCHMARK file
authored
63
64 - PIII 500mhz, 128MB ram, kernel 2.4.0
65 - Perl 5.005_03
66
67 Results: Psad was able to process all 10,000 lines of firewall messages in
68 approximately 16 seconds with a peak CPU and memory utilization of 99.7% and
69 3.8% respectively.
70
Something went wrong with that request. Please try again.