[Snort-devel] BPF on the fly
roesch at ...48...
Thu Jan 18 17:17:34 EST 2001
Ok, today is officially "Answer Todd Lewis Day". Sorry for the lengthy
delays involved in getting back to you on a number of issues regarding
all the things you've been writing about lately, you've been putting out
so much information that it's hard to keep up when I'm trying to earn a
living doing non-Snort stuff. :)
Anyway, I'd be very interested in seeing your new stuff. You might want
to talk to Mike Stolarchuck <mts at ...220...> about the work that I've heard
he might be doing on OpenBSD to implement faster packet capture
performance. You two working together could do a lot of damage. :)
Todd Lewis wrote:
> On Thu, 18 Jan 2001, Martin Roesch wrote:
> > I think that it's actually possible to load a filter set on the fly, but
> > I can't really speak to the good or bad of the libpcap architecture.
> The callback model is just a disaster, and they've hard-coded that all the
> way down into their individual drivers. It's possible to take a normal
> "give me a packet"/"here's your packet back" interface, add a tiny bit of
> adapter code, and emulate a callback model, but it's impossible to take
> a callback model and emulate the other one. And there is absolutely
> no way to parallelize the callback model, which also really sucks.
> The whole thing is a disaster and is driving me crazy as I try to adapt
> pcap to the paengine interface.
> > Having it written to something a little more high performance might be
> > nice though... :)
> I hope to be doing some benchmarking soon after I'm able to start working
> quasi-full-time on snort development. We have some great test cases
> here at SecureWorks that should make for interesting numbers.
> Todd Lewis tlewis at ...120...
> God grant me the courage not to give up what I think is right, even
> though I think it is hopeless. - Admiral Chester W. Nimitz
roesch at ...48...
More information about the Snort-devel