Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » Snort and the DAG4.3GE card

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Snort and the DAG4.3GE card


Posted by guimy on December 06, 2005 00:35:38

I have a project about the endance card, I want to know if you redevelopt snort to use this card and if you have some informations about snort with the endance card. I want to know if some fonctions are deported ont the card and whose functions. Thank you very much.

Posted by brevizniak on December 06, 2005 17:32:53

AFAIK the endace card presents a pcap interface to snort and really only handles packet processing. This is a benefit since the CPU does not need to do that work. Depending on your needs you may be able to do what you want without the use of an Endace card and just a finely tunes system. YMMV

Posted by mjk on February 13, 2006 23:15:10

Yes, the Edance DAG card is just another device as far as sort is concerned once libpcap has been built against the DAG libraries. Usually /dev/dag0 is enough.

However, I would disagree on "a finely tunes system" as being enough, as an ordinary NIC requires a interupt routine to process a network packet. Whilst this might be fine on low line rates (10/100) it certainly would not perform well on a 1Gb network at full line rate. In actual fact, a standard NIC will fall over at full line rate (attempting) to capture 100% line rate (e.g inspecting all network data). This is a significate advantage t using an Endace DAG capture card.

Posted by brevizniak on February 14, 2006 03:46:17

NIC technology varies greatly. Higher end server based intel cards support will reduce the interrupt rate required by buffering packets and sending them as a chunk of data instead of individually. It entirely depends on your needs and budget but it is fully possible to create a system with server grade hardware that will handle gigabit rates without the use of Endace.

Posted by mjk on February 15, 2006 18:04:13

I don't really agree as a standard NIC (even "server" NICs) capturing 100% line rate with variable snap lengths ( I know for a fact that even server NIC's choke on small packets sizes) still struggles.

I would like to know what NIC's you would recommned that can do 100% line rate on a GbE link.

Posted by KayJay on June 14, 2006 01:38:20

I have tested standard GBit NIC's against an ENDACE card in a test environment. I used Spirent's SMARTBITS to generate the packets. It was not even close! For my setup the ENDACE card captured on average 8 times more packets before dropping some. I will repost after I try it with Snort

Questions ?

site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.