On 8/26/05, Jason <[EMAIL PROTECTED]> wrote: > We are planning on updating a number of old machines, being used as > IDS sensors, and in the past, there has been a known issue regarding > gig speeds and pcap with regards to snort. > > Has this issue been resolved, I searched archives (the search > web interface appears to have some issues, and was only returning 4 > results on a generic search of pcap), nothing usefull. > > Before I spend a significant amount of money on new hardware, I want > to make sure we have the ability to support it, honestly, I would hate > to have to move to linux. I have no tried the ports version of pcap > yet since I don't have the hardware.
Linux doesn't behave better than FreeBSD regarding packet capture. I've developed http://freshmeat.net/projects/glflow/ which is now used to sniff ~800Kbps, and I've come to pretty close results on both platforms. Plain BPF with polling on FreeBSD and PF_RING on Linux. So my guess is that your snort spends most of its time in userspace doing its own computing rather than capturing packets. You should write a small tool that only counts sniffed packets and prints out the average every X seconds, for real comparisons. > > Jason > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it. _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
