Software router state of the art

Wes Young wcyoung at
Wed Jul 23 19:05:30 UTC 2008

We use them here and there (the 1Gig versions). The biggest thing to  
think about is the types of rule-sets you'll be using compounded by  
the number of flows being created / expired. Once tuned, they work  
quite well, but the balance is how fast you can pull/analyze out of  
RAM. Compiling the rules down to the card's level speeds things up a  
bit, but at the loss of using more dynamic rulesets.

If you can get the raw data to some sort of larger medium (say,  
rotating pcaps on a disk), you length the buffer-window. FWIW however,  
probably the best way to scale this is get an Xport fiber regen tap,  
populate with a few of these, tune them to monitor different segments  
based on address space or port ranges. You'll have yourself a  
relatively cheap solution, but extremely effective solution.

I've yet to test out the NinjaProbes... It's on my todo list...

On Jul 23, 2008, at 2:21 PM, Christopher Morrow wrote:

> On Wed, Jul 23, 2008 at 11:05 AM, Naveen Nathan <naveen at>  
> wrote:
>>> The Endace DAG cards claim they can move 7 gbps over a PCI-X bus  
>>> from
>>> the NIC to main DRAM. They claim a full 10gbps on a PCIE bus.
>> I wonder, has anyone heard of this used for IDS? I've been looking at
>> building a commodity SNORT solution, and wondering if a powerful  
>> network
>> card will help, or would the bottleneck be in processing the  
>> packets and
>> overhead from the OS?
> snort at 1g & 10g
> -chris

Wes Young
Network Security Analyst
CIT - University at Buffalo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2444 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list