[Snort-users] Shared capture NIC
gentoowally at ...11827...
Wed May 3 12:03:02 EDT 2006
Does anyone know if having a second application sharing a NIC with
snort for packet capture seriously affects dropped packet rates,
especially using Phil Wood's libpcap or pf_ring?
ex. snort 2.4 + ntop
snort 2.4 + agrus
snort 2.4 + tcpdump
You get the idea.
We are currently using snort 2.4 on a Linux box with Phil Wood's
libpcap with MMAP mode (might be switching to pf_ring). There is
obviously issues with over all system performance when adding a second
application, that's a given. My initial gut response is to say yes
there will dropped packet issues, but the more I read about
pf_ring/mmap the less I'm sure that my gut response is correct.
Anyone have any real world knowledge on this issue?
More information about the Snort-users