Date: Wed, 28 Oct 2009 16:43:08 +0200 From: Vlad Galu <dudu@dudu.ro> To: Andrea Venturoli <ml@netfence.it> Cc: freebsd-net@freebsd.org Subject: Re: snort on multiple interfaces Message-ID: <ad79ad6b0910280743m4296917ald9c82c690d0e16a3@mail.gmail.com> In-Reply-To: <4AE8569C.1040209@netfence.it> References: <4AE8569C.1040209@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 28, 2009 at 4:35 PM, Andrea Venturoli <ml@netfence.it> wrote: > Some years ago, I checked to see whether I would be able to let a single > snort process listen on more than one NIC. > At the time it was only possible in Linux. > In Linux the packet capture facility is implemented in a different (and very inefficient manner), via raw sockets (which means that, in order to reach userspace, a packet has to travel the whole IP stack - including firewall - until delivery to the user process). BSD has BPF, which basically delivers a copy of the packet to the userspace right before it enters the IP stack for kernel processing. Each network driver does this through the BPF_TAP() macro. > Now, I searched a bit, but nothing new came up. > > Did anything improve since then? Do we still need multiple snort processe= s > to listen on more than one interface? > Can some netgraph node help with this? You can try lagg(4) with the "loadbalance" option, ng_one2many(4), or ng_fec(4). > > =A0bye & Thanks > =A0 =A0 =A0 =A0av. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ad79ad6b0910280743m4296917ald9c82c690d0e16a3>