From owner-freebsd-stable@FreeBSD.ORG Tue Aug 30 07:22:17 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1706416A41F for ; Tue, 30 Aug 2005 07:22:17 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 696F043D48 for ; Tue, 30 Aug 2005 07:22:16 +0000 (GMT) (envelope-from vladgalu@gmail.com) Received: by zproxy.gmail.com with SMTP id z6so730378nzd for ; Tue, 30 Aug 2005 00:22:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=GjGpxDimtXBoZ+btAvK8ymZhVGqLpYRD6hdIa9dZhByePA5CgDv5P+b1RHc4bYq6TjlLbHGahcYpS9zIpebSdPW+JC6O7kJyU+oAGhAwD0fJHbyG0iowsu0POD1uk1xwQcGZTAHT2Lv2o1qlF57Gger8WFtogomcvI1tGFNdez4= Received: by 10.36.119.1 with SMTP id r1mr1511157nzc; Tue, 30 Aug 2005 00:22:14 -0700 (PDT) Received: by 10.36.86.4 with HTTP; Tue, 30 Aug 2005 00:22:13 -0700 (PDT) Message-ID: <79722fad050830002252a1254c@mail.gmail.com> Date: Tue, 30 Aug 2005 10:22:13 +0300 From: Vlad GALU To: Jason In-Reply-To: <20050826120500.GA8907@thevoid.delnoch.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20050826120500.GA8907@thevoid.delnoch.net> Cc: freebsd-stable@freebsd.org Subject: Re: pcap and gig speeds. X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2005 07:22:17 -0000 On 8/26/05, Jason wrote: > We are planning on updating a number of old machines, being used as > IDS sensors, and in the past, there has been a known issue regarding > gig speeds and pcap with regards to snort. >=20 > Has this issue been resolved, I searched archives (the search > web interface appears to have some issues, and was only returning 4 > results on a generic search of pcap), nothing usefull. >=20 > Before I spend a significant amount of money on new hardware, I want > to make sure we have the ability to support it, honestly, I would hate > to have to move to linux. I have no tried the ports version of pcap > yet since I don't have the hardware. Linux doesn't behave better than FreeBSD regarding packet capture. I've developed http://freshmeat.net/projects/glflow/ which is now used to sniff ~800Kbps, and I've come to pretty close results on both platforms. Plain BPF with polling on FreeBSD and PF_RING on Linux. So my guess is that your snort spends most of its time in userspace doing its own computing rather than capturing packets. You should write a small tool that only counts sniffed packets and prints out the average every X seconds, for real comparisons. >=20 > Jason > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >=20 --=20 If it's there, and you can see it, it's real. If it's not there, and you can see it, it's virtual. If it's there, and you can't see it, it's transparent. If it's not there, and you can't see it, you erased it.