# Firewall Performance Testing Tools?

## Mnemia

I'm trying to find some suitable tools for testing the performance of a firewall system I've put together under a number of different traffic conditions. I'd ideally like something that can automatically collect some statistics and report them back to me while also generating the traffic. I'd really like it if it could simulate real traffic like HTTP, FTP, SMTP, instead of just blasting out packets on a single connection.

Looking through the various open source tools like this, I've been pretty unsatisfied. There are a lot of options but most are pretty subpar.

1. TTCP - seems to be too primitive to do what I want to do. I'd be open to using it if I could find a variant that allows for more types of traffic generation.

2. Netperf - Would work except that I can't figure out how to reliably let its control connections through my firewall rules. It seems to dynamically assign both the source and destination ports for its control connections, making it nearly impossible to allow them through the firewall.

3. Netspec - this *looks* a little better and more sophisticated based on its website but is apparently unmaintained. I got it to compile on Linux but then it started spitting out errors about sockets and such. I think it's not compatible with the 2.4 kernel maybe.

Do you guys know of any other tools like this that are better than what I've mentioned? Alternatively if anyone knows how I can make NetPerf function through an iptables-based firewall I'd be happy with that solution.

----------

## ben

It may not be what you are looking for but I would suggest

nmap www.insecure.org/nmap/

saint www.wwdsi.com/saint/

satan http://ciac.llnl.gov/ciac/ToolsUnixNetSec.html#Satan

HTH

Ben

----------

## To

I think that nmap should do the work you're looking for. You have the address on ben's post.

Tó

----------

## Mnemia

Sorry if I wasn't clear on my previous post.

I'm not so much interested in the security of my setup (nmap would do wonderfully if that was what I was doing).

I'm actually trying to find something that will let me test throughput through the firewall. Preferably with the ability to generate traffic through the firewall and then tell me how long it took. I'm trying to measure the impact of the firewall on network throughput more than I'm trying to determine if my firewall is secure.

I think it's looking like I'll have to just use ttcp, but I'm not happy with its capabilities.

----------

## y0n

if you want a more extensive list here are the top 75 security tools from a survey conducted on the nmap-hackers mailing list for 2003.  very powerful tools here.

----------

## y0n

heh...sorry for my post.  submitted it after you submitted your 2nd post.

----------

## Mnemia

 *y0n wrote:*   

> heh...sorry for my post.  submitted it after you submitted your 2nd post.

 

Hey, thanks anyway. While it doesn't really have anything that's along the lines of what I'm looking for that's still a really good list of links. I found a couple tools in there that I didn't know about.

----------

## ben

Well I almost knew I was not on target. I do not know about the specific tool you are looking for, but:

network performance is mainly drived by two parameters

1./ latency

2./ bandwidth

So instead of a utp cat5 network link, you have a firewall, you should measure those two parameters, and this will give you a good idea of what is the bottleneck.

1./ latency : ping is a wonderful instrument, you can test with different payload size

Telnet combined with bash scripting or perl can also generated a lot of different connection (http, pop, imap, ssh, ftp,...) and measure their response time

With ethereal, you can see clearly what connection is having more delay than others

2./ one or two ftp or scp session with 500MB transfer should give you a view of the bandwith

At the same time, you can monitor the firewall cpu load, and network card for packet transfered

HTH

Ben

----------

## Mnemia

cool, thanks.

I know how to do all these things to get an idea of the bottlenecks, but I was just wondering if there was a specialized tool to automate the gathering of this sort of data for a lot of different connection types. I think I can make do with what I have if no one knows of something like that.

----------

## devon

Check out http://www.caip.rutgers.edu/~arni/linux/tg1.html. Has some other programs you didn't list.

----------

## Mnemia

OK, for the project I was working on, we ended up looking at the code for several of the open source options (Netperf, chiefly) and writing our own simple packet generator and receiver. This was good in that it was pretty simple and gave easy to interpret results, but it was far from ideal.

This had some problems in that our solution wasn't really sophisticated enough to simulate multi-connection traffic. I'd like to have a traffic generator program that could time multiple connections at once using a variety of real-world protocols, all in one program. We could simulate this using multiple instances of our program but it wasn't ideal for aggregating the data.

Netspec looked promising for doing something like this to me, but it's hopelessly out of date. It doesn't appear to have ever been designed to run on Linux, and I had serious problems with getting it to compile. It never actually ran correctly once I did get it to work because its socket code appears to be for some ancient proprietary Unix.

I think this is a serious gap in Linux networking utilities.  I'd be interested in starting a project to write one if I had the time. Maybe next year.

----------

