IDS: Re: port bonding and taps

["Sam f. Stover" <sstover () iwc sytexinc com>]

> I did captive-net testing, using a pair of generator machines direct
> patched (xover cables for 100BaseT) to the snorter's NICs, using
> tcpreplay to inject traffic. I was using completely untuned snort
> 1.9 on Compaq DL-320 low-end boxes, as I recall PIII-1.25GHz and
> 640MB RAM. Packet losses started getting noticeable somewhere around
> 70-80Mbps aggregate, and it made absolutely no difference whether
> the aggregate was coming in over two bonded interfaces, or over a
> single NIC with no bonding loaded. Bonding didn't seem to enter into
> the performance picture at all.
I can see how that would be the case on lower end boxes.  However, had 
they been extremely beefy, it's possible that the application wouldn't 
be the weak link, but the bonding.  That's where I'm driving with this 
- I'd like to know where the overhead imposed by the bonding causes 
packet drops.
> If I'd needed to hit higher performance, there were certainly easy
> measures to take; but as it turned out, I didn't:-).
>
> > Also, is there a way to know if you are dropping frames on the
> > bonded interface?  Or do you have to query the individual card
> > statistics, just like anything else?
> In my case, I could compare sent to received packet counts
> end-to-end.
My question here was more directed at an environment where the bonded 
interface was dropping packets - which didn't appear to be the case in 
your situation...  Still cool though.
____
S.f.Stover
sstover () iwc sytexinc com

Attachment: PGP.sig
Description: