[Snort-users] Advice on quad ethernet card

Glenn Forbes Fleming Larratt glratt at ...604...
Mon Nov 29 10:34:02 EST 2004


I have done this. I'd advise against that particular configuration, as
I've experienced bus contention, memory leaking, and general suckage
requiring weekly prophylactic reboots, when trying to run even 2 of
the four interfaces on a quad both in promiscuous mode.

Scaling down to one i/f on the quad and deploying a separate card for
the second tap didn't fully solve, but greatly ameliorated, the
difficulties I experienced.

At this point, I'd recommend having a separate NIC in a separate slot
for each tap you want to monitor, plus a separate interface for
managing the box.

	-g

On Fri, 19 Nov 2004, Patrick Marquetecken wrote:

> Date: Fri, 19 Nov 2004 22:16:14 +0100
> From: Patrick Marquetecken <patrick.marquetecken at ...1187...>
> To: Snort <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Advice on quad ethernet card
>
> Hi,
>
> At my work they are thinking of replacing 3 snort machines by one with a quad Ethernet card, witch will sniff 3 different lan's.
> The network is only 100Mbit, will there not a lot of dropped packages this way, and they must all send there data with barnyard to a remote mysql server.
> Is it also possible to see in the Database from witch sensor the data is from?
>
> TIA
> Patrick
>
> --
> "Please, Spock, do me a favor ... 'n' don't say it's `fascinating'..."
> "No... but it is... interesting..." -- Spock
>
> Fingerprint = 2792 057F C445 9486 F932 3AEA D3A3 1B0C 1059 273B
> ICQ# 316932703
> Registered Linux User #44550
> http://counter.li.org
>
>

				Glenn Forbes Fleming Larratt
				Rice University Networking
				glratt at ...604...




More information about the Snort-users mailing list