<snip>
> But! Why not go further and have an active
> sniffer box even? Which logs specific traffic and lives on another
> machine than the one monitored? This is more elegant... use the linux box
> for the sniffer...
</snip>
A worthy task; basically an IDS w/ host-specific key capturing. As far
as the sniffer goes, I've had some troubles in the past with Linux
acting as a full-bore sniffer dropping significant numbers of packets.
The NFR site (http://www.nfr.com) explains this phenomenon:
" The libpcap library uses another method to extract packets from the
kernel on Linux.
The code for this method does not appear to be written with performance
in mind. Programs such as NFR, which use libpcap to read packets from
the interface in promiscuous mode, will experience significant packet
loss on any network that sees traffic of several megabits per second or
more."
My solution was to use a FreeBSD box for my IDS, though I still prefer
Linux on my desktop machines.
Just my .02
--
Jeff Duffy
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
