Menu
▾
▴
Re: [Os-sim-support] High Speed Packet Capture
|
From: Brian L. <br...@br...> - 2008-05-06 18:24:24
|
On Mon, Apr 07, 2008 at 03:21:14PM +0000, Jon Uriona wrote: > Hi all, > We are now implementing an Ossim system where there will only be one > server with four NICs getting traffic at Gbit. Yes, I know, it must be > hard for libpcap to have 6 apps polling for data packets coming from 4 > NICs... We have to measure the limits... > The thing is that we are now studying the performance of such a system. > The data links are not saturated at all, they are at a very low use. > The server is a dedicated machine, with a Pentium Xeon Dual Core and 4 > GB RAM. The NICs seem to perform well. So the trouble is, as expected, > the communication between the Kernel and the libpcap library... The > solution seems to be to make it work with PF_RING [1] kernel driver and > a modified libpcap. Has anyone worked with this solution? > If so, I suppose that we have to compile every tool that works against > this library... a.k.a. Snort, Ntop, P0f, Pads and Arpwatch in our > case... Am I wrong? Which other OSSIM compliant tools use libpcap? Any > suggestion? > There is also a modified accelerated NIC card driver developed [2] > which can improve performance... Anything on this? > Thanx in advance, > [1] [1]http://www.ntop.org/PF_RING.html > [2][2] http://www.nmon.net/acceleratedDriver.html Jon, How is your setup working? I totally missed your link in your first post to the PF_RING. I got the kernel patch and I am building a deb kernel. Did you apply the real time patches too? http://www.kernel.org/pub/linux/kernel/projects/rt/ I was looking at the README from Luca Deri and he recommends the rt patches too in the file PF_RING/kernel/README. Right now, I only have a 100 Mb switch to test, but we should be getting some taps to put into the Gigabit network. I also am not sure if my NIC supports NAPI. Oh, yes, here is some good documentation for putting together a debian package from a custom linux kernel. Maybe you already have it working. http://pptpclient.sourceforge.net/howto-debian-build.phtml brian -- Brian Lavender http://www.brie.com/brian/ |
