[Snort-users] Kernel space Snort. Proof of concept test succeeded.
Willem de Bruijn
wdebruij at ...1580...
Wed Sep 15 11:36:29 EDT 2004
> >> Was the user-mode Snort using Phil Wood's libpcap
> >> <http://public.lanl.gov/cpw/> or an older version without MMAP mode
> >> support?
> > we compared against regular (0.8.3) pcap, so Phil Wood's version should
> > be considerably faster.
> Cool, thanks for the clarification.
> > However, speed-ups can still be obtained by running in the kernel due to
> > fewer context switches and no need for copying a packet into the memory
> > mapped area.
> Agreed. Do you have any plans to benchmark against Phil Wood's version in
> the future?
Well, I'm no longer being paid to work on this, so - honestly - changes that
I'll be testing it are slim. However, other are improving FFPF. In case we
are going to test some more I will suggest running Phil's version as well.
By the way, have you ever looked into Luca Deri's PF_RING solution? He
obtained very good results with a hybrid between Phil's and our
implementation. Perhaps he has tested against the regular mmapped pcap. I
don't know. Find it at luca.ntop.org or through googling.
More information about the Snort-users