[Bro-Dev] snaplen and drops
mcholste at gmail.com
Thu Nov 3 06:51:05 PDT 2011
> So if you use libpcap >= 1.0.0, you should have AF_PACKET support by default. Snort/Suricata probably implemented separate AF_PACKET support for systems that ship libpcap < 1.0.0.
I've used pcap > 1.0 and had much worse performance than AF_PACKET, so
I'd be willing to bet that IRQ CPU utilization is higher with pcap and
AF_PACKET does a polling mechanism to decrease its IRQ overhead. I
can't speak to the mmap techniques and whether or not they differ, but
IRQ alone would be enough to make a noticeable difference.
More information about the bro-dev