[Snort-users] BPF/libpcap performance, was Re: Seg Fault

Chris Green cmg at ...671...
Tue Feb 26 15:13:09 EST 2002


Erek Adams <erek at ...577...> writes:

> On Tue, 26 Feb 2002, Chris Green wrote:
>
>> FYI, its BPF/libpcap performance and not TCP stack performance that is the
>> issue when it comes to snort
>
> Ok, with that being said, here's a question:  Is it worth upgrading to another
> version of libpcap each time it comes out?  Or tracking it's CVS as well?

If you are running linux on your IDS stuff, its worth it for hearing
about the things they do to turbo packet stuff now and then.

> Along those lines, would there be any useful TCP/IP stack parameters to
> tune/change, or would that just be a waste of effort?

I'm sure there are things like memcaps for bpf and the like to set and
I'd love to see a good technical paper other than the winpcap one on
pcap performance's as well as tuning.

I'm also pretty sure one of the security websites would even pay a bit
for an article on tuning of pcap performance.

Most everything I've seen in the past few years ranks right above
voodoo.
-- 
Chris Green <cmg at ...671...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-users mailing list