Re: how to plain a sensor capacity

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 25 January 2005 10:00 +0100 Alessandro Fiorenzi 
<a.fiorenzi () infogroup it> wrote:

> I have question that is very important, I am going to deploy a server
> that will monitor the traffic of 3/4 networks
> The mail problem is undestand how to choise hardware, because if it is
> true that is possible to install a 4 Ethernet on a single pci-x
> is not so clear that the cpu and the bus could manage a throughput of
> 400Mbit or more that come from a single  pci-x slot or from 3 pci-x

First of all, a single PCI-X 533 bus is theoretically good for a maximum of:

64 bits * 133MHz * 4 = 34.048Gbit/s or 4.3Gbyte/s

Secondly, many machines (e.g. those based on the Intel E7520 chipset) are 
now shipping with multiple PCI-X connectors. I hope that at least some of 
these actually have completely separate pathways, but the documentation 
I've read so far is rather vague.

In terms of physical installation, there are dual- and quad-port cards 
available, such as the Intel 1000MT 
<http://www.intel.com/network/connectivity/products/pro1000mt_quad_server_adapter.htm>, 
giving 4 ports per PCI-X slot.

Finally, from the software point of view, there are a number of performance 
enhancements available. Assuming you're planning on using Linux:

1) NAPI (New API) reduces interrupt load from NICs on busy segments by 
coalescing packets. This is reportedly transparent to libpcap and the rest 
of the application layer. If you pick the right card, the driver will 
support NAPI. The drivers for Intel's cards support NAPI.

2) Phil Wood's libpcap <http://public.lanl.gov/cpw/> improves the 
efficiency of packet capture. Applications using libpcap might need to be 
recompiled and relinked against the new libpcap.

3) <http://www.ntop.org/PF_RING.html>

> The question is when snort or tcpdump works sniffing the traffic does
> work on ram or directly to the interface memory?

As I understand it, in normal operation, the NIC transfers packets into 
main memory using DMA then signals the OS by raising an interrupt. 
readme.ring in Phil Wood's libpcap explains the rest.

> If it works on interface memory I should choise a network adapter with
> large buffers and would use throughput of the bus to choise the right cpu
> Instead if it works on computer memory I should use the time to move
> information from ethernet interface to ram, the bus throughput to choise
> the right cpu

I'm planning on making my first sensor a dual-processor Xeon 'Nocona'/E7520 
(i.e. 800MHz FSB) machine with two Intel quad-port 1000MT cards. I plan to 
make more and more ports active until it cannot cope, then back off.

> Thanks in advance

Corrections, clarification and elaboration welcomed.

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users