[Snort-users] Kernel space Snort. Proof of concept test succeeded.

Alex Butcher, ISC/ISYS Alex.Butcher at ...11254...
Wed Sep 15 01:25:02 EDT 2004

--On 15 September 2004 10:20 +0200 Willem de Bruijn <wdebruij at ...1580...> wrote:

> Hi Alex,
>> Was the user-mode Snort using Phil Wood's libpcap
>> <http://public.lanl.gov/cpw/> or an older version without MMAP mode
>> support?
> we compared against regular (0.8.3) pcap, so Phil Wood's version should
> be  considerably faster.

Cool, thanks for the clarification.

> However, speed-ups can still be obtained by running in  the kernel due to 
> fewer context switches and no need for  copying a packet  into the memory 
> mapped area.

Agreed. Do you have any plans to benchmark against Phil Wood's version in 
the future?

> Willem

Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-users mailing list