[Snort-users] BPF size on OpenBSD and multiple NICs

Phil Wood cpw at ...440...
Sat Jun 9 12:57:20 EDT 2001

On Sat, Jun 09, 2001 at 11:58:30AM +0000, Subba Rao wrote:
> What should be the limit of OpenBSD's BPF for running Snort effectively? I would
> like to use one OpenBSD box with a 4-port NIC. Using TCPDUMP, I see quite a few
> packets getting dropped (sometimes it is as much as 50%). Since Snort is the

Do you turn off name lookup (use the -n switch) when using tcpdump.  You
should use something like:

  tcpdump -i somenic -p (or not) -w somefile -F bpf_filter

Now you have a binary dump of the packets selected by your bpf_filter file
that were seen on somenic card.  After further analysis, if you want
to map all the ip addresses to names you could:

  tcpdump -r somefile

> other sniffer, this will be used for IDS. Does Snort drop packets as much as
> TCPDUMP does?

They both use the same libpcap to capture packets.  Your results will
vary depending on how many rules, and how complex or string intensive
the rules are.  Snort will not do ip address to domain name translation
because the long waits for unsuccessful (as well as successful) lookups
is prohibitive.

> >From a performance point of view, how well do sensor's with 4-port NICs fair
> over sensor with one port?

No experience with this one.

> TIA.
> -- 
> Subba Rao
> subba9 at ...530...
> http://members.home.net/subba9/
> GPG public key ID 27FC9217
> Key fingerprint = 2B4C 498E 1860 5A2B 6570  5852 7527 882A 27FC 9217
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list