On 8/26/05, Jason <freebsd-stable@tcpipbitch.net>
wrote:> We are planning on updating a number of old machines, being used as
> IDS sensors, and in the past, there has been a known issue regarding
> gig speeds and pcap with regards to snort.
>
> Has this issue been resolved, I searched archives (the search
> web interface appears to have some issues, and was only returning 4
> results on a generic search of pcap), nothing usefull.
>
> Before I spend a significant amount of money on new hardware, I want
> to make sure we have the ability to support it, honestly, I would hate
> to have to move to linux. I have no tried the ports version of pcap
> yet since I don't have the hardware.
Linux doesn't behave better than FreeBSD regarding packet capture.
I've developed http://freshmeat.net/projects/glflow/ which is now used
to sniff ~800Kbps, and I've come to pretty close results on both
platforms. Plain BPF with polling on FreeBSD and PF_RING on Linux. So
my guess is that your snort spends most of its time in userspace doing
its own computing rather than capturing packets. You should write a
small tool that only counts sniffed packets and prints out the average
every X seconds, for real comparisons.
>
> Jason
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to
"freebsd-stable-unsubscribe@freebsd.org"
>
--
If it's there, and you can see it, it's real.
If it's not there, and you can see it, it's virtual.
If it's there, and you can't see it, it's transparent.
If it's not there, and you can't see it, you erased it.