One quick tangential result. Because we are nolonger using UDP, our maximal values for snort_inline.null have been revised down. For a more in depth disucssion of why this happned check out the note in

One quick tangential result of this is that the maximal speeds for the snort_inline.conf have decreased by about 1-2 Kpsec and 50-60 mbits /sec. The primary reasons for this are three fold. 1) the dup generator can generate smaller packets faster than the tcp generators. 2) snort_inline is primarily packet / second limited. 3) larger packets are computationaly cheaper to pass through than multiple smaller packets. The UDP traffic profile can generate a packetstream that averages 1400+ bytes / packet. Most normal tcp sesions will have an average packetsize less than this. The graphs below display this phenominon on the snort_inline.null configuration.

There are a few interesting things going on in the graphs below.

• The wget traffgen never gets much above 900 bytes per packet. This is just a facet of standdard TCP, unidirectional traffic.
• The maximum pkts/sec happens at the smallest packet sizes, while the maximum bandwith happens at larger packet sizes.
• The maximums on lgraph form a line with a negative slope. As will be seen later this is not a general result for all snort configs.

Traffic profile	Snort_inline.null with variying traffic profiles on the Realtek_dual		Traffic profile
UDP Wget Wget_mtuslide			UDP Wget Wget_mtuslide
Wget Wget_mtuslide			Wget Wget_mtuslide