[Snort-users] Kernel space Snort. Proof of concept test succeeded.

Willem de Bruijn wdebruij at ...1580...
Wed Sep 15 11:36:29 EDT 2004


> >
> >> Was the user-mode Snort using Phil Wood's libpcap
> >> <http://public.lanl.gov/cpw/> or an older version without MMAP mode
> >> support?
> >
> > we compared against regular (0.8.3) pcap, so Phil Wood's version should
> > be  considerably faster.
>
> Cool, thanks for the clarification.
>
> > However, speed-ups can still be obtained by running in  the kernel due to
> > fewer context switches and no need for  copying a packet  into the memory
> > mapped area.
>
> Agreed. Do you have any plans to benchmark against Phil Wood's version in
> the future?
>

Well, I'm no longer being paid to work on this, so - honestly - changes that 
I'll be testing it are slim. However, other are improving FFPF. In case we 
are going to test some more I will suggest running Phil's version as well.

By the way, have you ever looked into Luca Deri's PF_RING solution? He 
obtained very good results with a hybrid between Phil's and our 
implementation. Perhaps he has tested against the regular mmapped pcap. I 
don't know. Find it at luca.ntop.org or through googling.

cheers

Willem




More information about the Snort-users mailing list