RE: Good Gbit card for Snorting?

["Abe L. Getchell" <abegetchell () home com>]

Hi Phil,

I looked at the 3Com Gbit NICs, but I've had some performance problems
with the 10/100's in the past.  Not anything to do with Snort, but it
kind of turned me off to the whole 3Com line.  Terrible performance
using them on some Win2k caching servers... Which of course probably
wasn't the fault of the NIC... But I digress. =)  I'll probably end up
testing them in the lab regardless, thanks for the recommendation.

Speaking of 3Com, didn't Nortel sell 3Com the Alteon NIC business when
Nortel assimilated Alteon Web Systems?  I looked on both the respective
web sites and couldn't find anything about the deal, but I think I
remember hearing this somewhere.  The Alteon Gbit NICs were some of the
best I've seen.  It would be nice to still have a source to buy them if
the technology is still being used to produce cards.

Anywho, I'm looking at monitoring in the range of 200-300Mbits/sec, with
300Mbits/sec being the absolute max.  Being a bit concerned about packet
loss with that kind of data volume, I'm also looking at breaking the
traffic up using TopLayer switches or Alteon 184s; an IDS load-balancing
feature was included in the recently released code for the 184s.  That
would allow me to get around the limitations of one box monitoring a lot
of traffic, but the costs would be significant to go with the preferred
solution... That being to purchase a TopLayer switch.  The plus side is
I already have the 184s, and the extra boxes it would take to do the
load-balancing, I'm just a bit hesitant to do it because of the newness
of the load-balancing code.

Thoughts?

Thanks,
Abe

PS-Sorry you got this twice Phil, forgot to copy the list the first
time.  Doh!  

--
Abe L. Getchell
Security Engineer
abegetchell () home com


> -----Original Message-----
> From: Phil Wood [mailto:cpw () lanl gov] 
> Sent: Sunday, November 11, 2001 10:04 PM
> To: Abe L. Getchell
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Good Gbit card for Snorting?
>
>
> I'm using the optical 3com one.  But, another sot like myself 
> in this business, has tested a few, and thinks the Intel 
> might do a little better.  But, he said if it's working for 
> "you" (that would be me), then don't bother switching yet.
>
> What kind of gige rates are you talking?  I think they will 
> all fold at some point less than a gig.  No problem at .2 
> gig.  I could go through my archives and try and find some 
> commentary, but I got to put in a concrete slab tomorrow, and 
> I'm about ready to drop from operating an idiot stick all day! 
>
> On Sun, Nov 11, 2001 at 03:50:18PM -0500, Abe L. Getchell wrote:
> > Greetings!
> >
> > Has anyone run into a particular Gbit card which has worked 
> well for 
> > them under Linux for Snorting?  I've searched on Google, as well as 
> > other resources, and can't really come up with anything 
> except people 
> > sharing their bad experiences doing so. =)  I tend to lean towards 
> > Intel, as I've had good experiences in the past with their 10/100 
> > cards, but I thought I'd check with ya'll to see what the 
> collective 
> > community opinion was.
> >
> > Thanks,
> > Abe
> >
> > --
> > Abe L. Getchell
> > Security Engineer
> > abegetchell () home com
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> -- 
> Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users