Gigabit link monitoring
Kyle C Quest
mazequest at hotmail.com
Mon Jul 24 12:43:49 PDT 2000
Vern would be the best person to give an answer for this question...
but I can also help (in a way ;-])...
Bro uses libpcap packet capture library... the library uses
different ways to capture packets on various OS platforms...
If I'm not mistaken, for fast networks it's better to use
BSD derived operating systems (OpenBSD, FreeBSD...) because
they use BPF packet filtering mechanism that is part of operating
system... and as far as I know BPF provides the best performance...
however, I'm sure that even BPF's performance would not be enough
for gigabits network... Unless BPF+ replaced the original BPF
implementation, there's no way bro can sustain gigabits speed.
Anyways, if you choose to use bro, don't use Linux, because it
is possibly the slowest platform to run bro...
Kyle
=======================================================
>Dear Bro users,
>
>I am new to the field of intrusion detection. I would like to use
>Bro to monitor a Gigabit ethernet link. What type of hardware
>should I use in order to guarantee no packet filter drops?
>
>Regards,
>
>Eric Gauthier
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
More information about the Bro
mailing list