[Snort-users] Hardware required for monitoring a DS3

brandon at ...3618... brandon at ...3618...
Wed Oct 3 07:32:03 EDT 2001


On Tue, Oct 02, 2001 at 05:56:02PM -0700, Erek Adams wrote:
> On Tue, 2 Oct 2001 brandon at ...3618... wrote:
> > I have recently been evaluating upgrading.  We tried a Sun Netra T1/500MHz
> > and it was slower than our existing P3/850Mhz.  I also had some problems
> > because it appeared to actually process less packets but did not record ANY
> > lost packets, compared to our FreeBSD box on intel.  With a few minute
> > span each on the same hub recording the same data the Intel/BSD box
> > recorded about 2.3mil packets with less than 1 % loss and the SUn
> > recorded about 1.5 mil packets with zero loss.  We have since
> > disregarded the sun as a viable option.  What we did end up deciding
> > on was a Dual Athalon MP core at 1.2GHz.  We are buying the eracks
> > version (http://www.eracks.com).
> 
> What I would be interested in seeing is a comparison of (Solaris Sparc vs.
> Solaris Intel) vs (OpenBSD/Sparc vs. OpenBSD/Intel) on the same sets of
> hardware.  I'm wondering if it's the OS that made the difference or the
> platform.  I'm running on Solaris 7 and not seeing any packets lost.  Granted,
> the sensors are spread out all over, and traffic is fairly segregated...  I've
> seen nothing like that.  Was your ether interface taking a lot of errors?  Or
> was this just 'silent drops'?

At first I was impressed with the sparc, but it was when I started
watching total packets as reported by snort that I became alarmed.  I
do not know if this is a problem with the eri device (for their new
nic), since it is a newer device, or with solaris in general.  I
recorded zero, none, zilch packet loss the entire time I ran the
tests, but the two devices (intel/freebsd and sparc/solaris) were on
the same hub, and I was not seeing collisions or other problems (the
only difference was how the devices were configured.  In FreeBSD I
just 'ifconfig fxp0 up'-ed the device, without an IP address, whereas
in Solaris I was forced to give it an IP address.

Oh, and I also spent some time recompiling libpcap with sun's compiler
(free 60day off te net).  Snort, however, would NOT compile.  There
may have been some options I could have added to get it to work, but
it wasn't worth the bother because by this time I was noticing the
packet loss.  The problems were gcc-isms, such as using c++ allowed
stuff in c-code.  Sun's compiler doesn't allow that, from what I can
tell.

-Brandon Gillespie





More information about the Snort-users mailing list