Snort mailing list archives

RE: Advice on quad ethernet card

From: Richard Bejtlich <taosecurity () gmail com>
Date: Fri, 19 Nov 2004 16:22:08 -0500

Darden, Patrick S. wrote:

I don't think this is a good idea.  You will see a lot of drops if you have
any amount of traffic at all.

Hello Patrick D and Patrick M,

I disagree with this opinion, but I respect your caution. Still, if
"a lot of drops" occurred with "any amount of traffic at all," how
could vendors ever sell quad NICs?

Your Snort performance is a function of the following components:

- CPU
- RAM
- Hard drive
- PCI bus
- NIC quality
- Sensor OS
- Snort Configuration

These are not in any particular order.

Choosing a high-quality quad NIC -- or any NIC -- is important. (Ask
old Realtek owners.)

I've had good quad NIC capture results for 10/100 Mbps with the
Adaptec ANA-62044. [0] The ANA-62044 isn't sold new, so Adaptec's
upgrade product is a 66 MHz 64 bit card. [1] The ANA-62044 is a 33
MHz 64 bit card.

I believe Intel makes some of the best NICs around, but their current
quad NIC is a gigabit card. [2] For that reason I would avoid it,
unless you conduct rigorous testing. When you start thinking you can
monitor multiple gigabit links with a quad NIC, you need to be using a
robust PCI-X bus and not regular PCI, plus carefully handling all of
the other performance factors listed earlier.

Patrick D's recommendation of using two dual NICs might also work.
I've used Intel PRO/100+ Dual Port Server Adapters (PILA8472),
although I had to replace one of them after a hardware failure.
Intel's new dual NICs are either 10/100 Mbps crypto-enabled models or
gigabit models. [3, 4]

Whatever you decide, you should try building a test sensor and see how
it performs in your environment.

Sincerely,

Richard
http://www.taosecurity.com

[0] http://www.adaptec.com/worldwide/support/suppdetail.jsp?sess=no&language=English+US&prodkey=ANA-62044
[1] http://www.adaptec.com/worldwide/product/proddetail.html?sess=no&language=English+US&prodkey=ANA-64044LV
[2] http://www.intel.com/network/connectivity/products/pro1000mt_quad_server_adapter.htm
[3] http://www.intel.com/network/connectivity/products/pro100dport_adapter.htm
[4] http://www.intel.com/network/connectivity/products/pro1000mt_dual_server_adapter.htm

-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Advice on quad ethernet card Patrick Marquetecken (Nov 19)
- Re: Advice on quad ethernet card Glenn Forbes Fleming Larratt (Nov 29)
  - Re: Advice on quad ethernet card sekure (Nov 29)
- <Possible follow-ups>
- RE: Advice on quad ethernet card Darden, Patrick S. (Nov 19)
- RE: Advice on quad ethernet card Richard Bejtlich (Nov 19)