Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Kernel space Snort. Proof of concept test succeeded.

From: Willem de Bruijn <wdebruij () dds nl>
Date: Wed, 15 Sep 2004 10:30:51 +0200


Was the user-mode Snort using Phil Wood's libpcap
<http://public.lanl.gov/cpw/> or an older version without MMAP mode
support?


we compared against regular (0.8.3) pcap, so Phil Wood's version should
be  considerably faster.


Cool, thanks for the clarification.


However, speed-ups can still be obtained by running in  the kernel due to
fewer context switches and no need for  copying a packet  into the memory
mapped area.


Agreed. Do you have any plans to benchmark against Phil Wood's version in
the future?



Well, I'm no longer being paid to work on this, so - honestly - changes that 
I'll be testing it are slim. However, other are improving FFPF. In case we 
are going to test some more I will suggest running Phil's version as well.

By the way, have you ever looked into Luca Deri's PF_RING solution? He 
obtained very good results with a hybrid between Phil's and our 
implementation. Perhaps he has tested against the regular mmapped pcap. I 
don't know. Find it at luca.ntop.org or through googling.

cheers

Willem


-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: