[unisog] Remote sniffers- what do you use?

Peter Van Epp vanepp at sfu.ca
Thu Mar 9 16:30:06 GMT 2006

> You can easily load just about every open-source network analysis tool 
> (snort, argus, tcpdump, ethereal, ntop, etc) onto a 1-U FreeBSD box 
> (FreeBSD beating Linux in most any networking benchmark -- Linux+pfRing 
> included).

	The the risk of starting a religious war, I don't think this is correct
:-). Four or five years ago I made this argument to our HPC folks when they
were building a 192 node Beowolf cluster so we ran benchmarks (iperf, netperf
etc.) on my argus test boxes and found while FreeBSD did better on CPU usage
either OS could fill the pipe and as a result they decided to go Linux to be 
like most of the rest of the Beowolf world.
	I can testify from personal experience that a year or so ago the
same box running argus on a gig link doing 995 megs lost around %50 of the 
packets on FreeBSD when Linux with pfRing (and a meg or so of buffer space in 
the kernel which makes the comparison somewhat unfair :-)) was able to keep up 
with traffic. 
	There is also some interesting new tcp code from Van Jacobson (not yet 
releasable last I heard) for Linux that he says cuts %80 of the CPU usage 
(although it is probably applicable to FreeBSD too if someone ports it). 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

More information about the unisog mailing list