[Snort-devel] BPF on the fly

Martin Roesch roesch at ...48...
Thu Jan 18 17:17:34 EST 2001


Ok, today is officially "Answer Todd Lewis Day".  Sorry for the lengthy
delays involved in getting back to you on a number of issues regarding
all the things you've been writing about lately, you've been putting out
so much information that it's hard to keep up when I'm trying to earn a
living doing non-Snort stuff. :)

Anyway, I'd be very interested in seeing your new stuff.  You might want
to talk to Mike Stolarchuck <mts at ...220...> about the work that I've heard
he might be doing on OpenBSD to implement faster packet capture
performance.  You two working together could do a lot of damage. :)

   -Marty

Todd Lewis wrote:
> 
> On Thu, 18 Jan 2001, Martin Roesch wrote:
> 
> > I think that it's actually possible to load a filter set on the fly, but
> > I can't really speak to the good or bad of the libpcap architecture.
> 
> The callback model is just a disaster, and they've hard-coded that all the
> way down into their individual drivers.  It's possible to take a normal
> "give me a packet"/"here's your packet back" interface, add a tiny bit of
> adapter code, and emulate a callback model, but it's impossible to take
> a callback model and emulate the other one.  And there is absolutely
> no way to parallelize the callback model, which also really sucks.
> The whole thing is a disaster and is driving me crazy as I try to adapt
> pcap to the paengine interface.
> 
> > Having it written to something a little more high performance might be
> > nice though... :)
> 
> I hope to be doing some benchmarking soon after I'm able to start working
> quasi-full-time on snort development.  We have some great test cases
> here at SecureWorks that should make for interesting numbers.
> 
> --
> Todd Lewis                                       tlewis at ...120...
> 
>   God grant me the courage not to give up what I think is right, even
>   though I think it is hopeless.          - Admiral Chester W. Nimitz

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list