Snort mailing list archives
Re: BPF size on OpenBSD and multiple NICs
From: Phil Wood <cpw () lanl gov>
Date: Sat, 9 Jun 2001 10:57:20 -0600
On Sat, Jun 09, 2001 at 11:58:30AM +0000, Subba Rao wrote:
What should be the limit of OpenBSD's BPF for running Snort effectively? I would like to use one OpenBSD box with a 4-port NIC. Using TCPDUMP, I see quite a few packets getting dropped (sometimes it is as much as 50%). Since Snort is the
Do you turn off name lookup (use the -n switch) when using tcpdump. You should use something like: tcpdump -i somenic -p (or not) -w somefile -F bpf_filter Now you have a binary dump of the packets selected by your bpf_filter file that were seen on somenic card. After further analysis, if you want to map all the ip addresses to names you could: tcpdump -r somefile
other sniffer, this will be used for IDS. Does Snort drop packets as much as TCPDUMP does?
They both use the same libpcap to capture packets. Your results will vary depending on how many rules, and how complex or string intensive the rules are. Snort will not do ip address to domain name translation because the long waits for unsuccessful (as well as successful) lookups is prohibitive.
From a performance point of view, how well do sensor's with 4-port NICs fairover sensor with one port?
No experience with this one.
TIA. -- Subba Rao subba9 () home com http://members.home.net/subba9/ GPG public key ID 27FC9217 Key fingerprint = 2B4C 498E 1860 5A2B 6570 5852 7527 882A 27FC 9217 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BPF size on OpenBSD and multiple NICs Subba Rao (Jun 09)
- Re: BPF size on OpenBSD and multiple NICs Phil Wood (Jun 09)
- <Possible follow-ups>
- Re: BPF size on OpenBSD and multiple NICs skop d'skop (Jun 10)