[Snort-users] Cisco Catalyst - SNORT

Gary Flynn flynngn at ...6811...
Fri Jun 27 19:55:07 EDT 2003


Jeff Nathan wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>
>- --On Friday, June 27, 2003 7:34 -0400 Gary Flynn <flynngn at ...6811...> wrote:
>
>  
>
>>
>>I'm not saying the switch works this way but if the packets are on a bus
>>and configuring a span port just means telling the port to grab anything
>>on the bus, it would seem there would be no performance hit.
>>    
>>
>
>Grabbing those frames and sending them out a different interface still 
>requires I/O operations (interrupt request processing and the like). 
>Hidden as it may be, there's always a price.
>
If the bus is synchronous, the clock could be used to gate the bits into 
registers
and ASICs dedicated to the port. No impact on central processing. No 
interrupts..
The port hardware is told to accept all data on every clock pulse by a 
simple logic level
on a gate. It may be more complicated than that if there is data on the 
bus other
than the packet stream but you get the idea. The data on the bus may 
identify itself as
packet data. There may be codes that delimit packet data. Lots of 
possibilities. All
can be handled by hardware with a couple of logic level changes that doesn't
require a processor.

I don't know if it works that way but Cisco switch/routers process the 
beginnings
of a flow in software and then claim to switch the rest of the flow in 
hardware. I can
see where the processor could set up some registers and flip-flops and 
everything would
cascade through discrete logic gates as long as the address/port/ID 
inputs match the preset
values. To do it promiscuously would seem to be trivial in comparison.

Sort of goes back to the old computers that were set up by an operator 
with patch
cords and then let everything fly through it for a fixed set of 
operations. Once set up,
the data itself drove everything through as it was presented.

All hypothetical.

>  
>







More information about the Snort-users mailing list