[Snort-users] Large receive offload, good or bad?

Peter Bates peter.bates at ...15381...
Thu Aug 30 11:43:52 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

Interesting topic, as I've been pondering the same thing this week.

On 30/08/2012 15:59, Joel Esler wrote:
> If I was deploying an I[DP]S I would investigate using a operating 
> system and network card that supports zero copy bpf sockets. This
> will save you much more CPU time than using LRO and have much more 
> predictable results.

Can the VRT member who is not on the list expand a bit more on this?

Are we talking *BSD, Linux AF_PACKET with fanout, PF_RING, ?

I've been exploring increasing the buffer size with the AF_PACKET DAQ
this week only to find it errors when set to 4Gb or more.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQP4o4AAoJELhVoVpEMS6RmpsIAIcy6C41W3St9x4hKqDgUwPb
U+SBccVkl5bx53y3e8aUjKfjhqjoBxT9ylTY5kTeBg4KpHItHx7ihRvZrV67gmrN
louVg6hgXZGmVM/IJZr4TSPhsLgDunwbR2zpbb1oEhyyHnpn8w8N/CYN6Gxd5qpv
9jhEFyeAlJA1R/ejhj7SNTbvcLr/i8sDDzLQCqLHzhHNrHoJIj+EHffZwLOoLQyX
7XGTifR5smcnD8V7HknxinW+1G/d4/8TAhfTgw/zlR65GIZoViBV2ViSZJZC7Nar
KV42iNCeQM3v1Tsrm4N2lueQdLMQISY+0rlidjXURqYtKywpL4YVuU+pHt1T80o=
=dQh5
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list