As Honeyd can simulate thousands of machines and address space
that can be arbitrarily large, it is important to analyze how
This simple analysis looks at the bandwidth Honeyd can support
when responding to ICMP ping requests. We check the number
of returned ICMP packets for sending ping requests to the
interface of the host that Honeyd runs on, to the IP address
of the entry router that Honeyd simulates and to random IP
addresses in C-class networks in the simulated routing
topology. One C-class network is one hop away from the entry
router, the other one is two hops away.
In general, Honeyd makes use of advanced data structures to increase
performance. The routing topology at each router uses ternary trees
and provides O(log(n)) lookups for networks. Other data structures
within Honeyd use hash tables or splay trees.
To determine Honeyd's TCP performance, we measure the number of TCP
transactions per second that Honeyd supports for different
configurations. The upper graph on the right shows the performance
when using the default template for all honeypots and when using an
individual template for each honeypot. Performance decreases slightly
when each of the 65K honeypots is configured individually. The lower
graph shows the performance for contacting honeypots at different
levels of a routing topology. On a 1Ghz Pentium II processor, Honeyd
supports about 2000 transactions per second.