Snort mailing list archives
Re: how to plain a sensor capacity
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Tue, 25 Jan 2005 16:38:05 +0000
--On 25 January 2005 10:00 +0100 Alessandro Fiorenzi <a.fiorenzi () infogroup it> wrote:
I have question that is very important, I am going to deploy a server that will monitor the traffic of 3/4 networks The mail problem is undestand how to choise hardware, because if it is true that is possible to install a 4 Ethernet on a single pci-x is not so clear that the cpu and the bus could manage a throughput of 400Mbit or more that come from a single pci-x slot or from 3 pci-x
First of all, a single PCI-X 533 bus is theoretically good for a maximum of: 64 bits * 133MHz * 4 = 34.048Gbit/s or 4.3Gbyte/sSecondly, many machines (e.g. those based on the Intel E7520 chipset) are now shipping with multiple PCI-X connectors. I hope that at least some of these actually have completely separate pathways, but the documentation I've read so far is rather vague.
In terms of physical installation, there are dual- and quad-port cards available, such as the Intel 1000MT <http://www.intel.com/network/connectivity/products/pro1000mt_quad_server_adapter.htm>, giving 4 ports per PCI-X slot.
Finally, from the software point of view, there are a number of performance enhancements available. Assuming you're planning on using Linux:
1) NAPI (New API) reduces interrupt load from NICs on busy segments by coalescing packets. This is reportedly transparent to libpcap and the rest of the application layer. If you pick the right card, the driver will support NAPI. The drivers for Intel's cards support NAPI.
2) Phil Wood's libpcap <http://public.lanl.gov/cpw/> improves the efficiency of packet capture. Applications using libpcap might need to be recompiled and relinked against the new libpcap.
3) <http://www.ntop.org/PF_RING.html>
The question is when snort or tcpdump works sniffing the traffic does work on ram or directly to the interface memory?
As I understand it, in normal operation, the NIC transfers packets into main memory using DMA then signals the OS by raising an interrupt. readme.ring in Phil Wood's libpcap explains the rest.
If it works on interface memory I should choise a network adapter with large buffers and would use throughput of the bus to choise the right cpu Instead if it works on computer memory I should use the time to move information from ethernet interface to ram, the bus throughput to choise the right cpu
I'm planning on making my first sensor a dual-processor Xeon 'Nocona'/E7520 (i.e. 800MHz FSB) machine with two Intel quad-port 1000MT cards. I plan to make more and more ports active until it cannot cope, then back off.
Thanks in advance
Corrections, clarification and elaboration welcomed. Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to plain a sensor capacity Alessandro Fiorenzi (Jan 25)
- Re: how to plain a sensor capacity Alex Butcher, ISC/ISYS (Jan 25)