[Snort-devel] BPF on the fly

Todd Lewis tlewis at ...120...
Thu Jan 18 11:07:19 EST 2001

On Thu, 18 Jan 2001, Martin Roesch wrote:

> I think that it's actually possible to load a filter set on the fly, but
> I can't really speak to the good or bad of the libpcap architecture. 

The callback model is just a disaster, and they've hard-coded that all the
way down into their individual drivers.  It's possible to take a normal
"give me a packet"/"here's your packet back" interface, add a tiny bit of
adapter code, and emulate a callback model, but it's impossible to take
a callback model and emulate the other one.  And there is absolutely
no way to parallelize the callback model, which also really sucks.
The whole thing is a disaster and is driving me crazy as I try to adapt
pcap to the paengine interface.

> Having it written to something a little more high performance might be
> nice though... :)

I hope to be doing some benchmarking soon after I'm able to start working
quasi-full-time on snort development.  We have some great test cases
here at SecureWorks that should make for interesting numbers.

Todd Lewis                                       tlewis at ...120...

  God grant me the courage not to give up what I think is right, even
  though I think it is hopeless.          - Admiral Chester W. Nimitz

More information about the Snort-devel mailing list