Date: Wed, 23 Jul 2008 14:17:53 -0400 From: "William Herrin" <herrin-nanog@dirtside.com>
On Wed, Jul 23, 2008 at 2:03 PM, Naveen Nathan <naveen@lastninja.net> wrote:
The Endace DAG cards claim they can move 7 gbps over a PCI-X bus from the NIC to main DRAM. They claim a full 10gbps on a PCIE bus.
I wonder, has anyone heard of this used for IDS? I've been looking at building a commodity SNORT solution, and wondering if a powerful network card will help, or would the bottleneck be in processing the packets and overhead from the OS?
The first bottleneck is the interrupts from the NIC. With a generic Intel NIC under Linux, you start to lose a non-trivial number of packets around 700mbps of "normal" traffic because it can't service the interrupts quickly enough.
Most modern high performance network cards support MSI (Message Signaled Interrupts) which generate real interrupts only in an intelligent basis. and only at a controlled rate. Windows, Solaris and FreeBSD have support for MSI and I think Linux does, too. It requires both hardware and software support. With MSI, TSO, LRO, and PCI-E with hardware that supports these, 9.5 Gbps TCP flows between systems is possible with minimal tuning. That puts the bottleneck back on the forwarding software in the CPU to do the forwarding at high rates. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751