On Wed, Oct 28, 2009 at 4:35 PM, Andrea Venturoli <m...@netfence.it> wrote: > Some years ago, I checked to see whether I would be able to let a single > snort process listen on more than one NIC. > At the time it was only possible in Linux. >
In Linux the packet capture facility is implemented in a different (and very inefficient manner), via raw sockets (which means that, in order to reach userspace, a packet has to travel the whole IP stack - including firewall - until delivery to the user process). BSD has BPF, which basically delivers a copy of the packet to the userspace right before it enters the IP stack for kernel processing. Each network driver does this through the BPF_TAP() macro. > Now, I searched a bit, but nothing new came up. > > Did anything improve since then? Do we still need multiple snort processes > to listen on more than one interface? > Can some netgraph node help with this? You can try lagg(4) with the "loadbalance" option, ng_one2many(4), or ng_fec(4). > > bye & Thanks > av. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
