Re: IDS, where the bits meet the bytes

From: Matt Bing (mbing@nfr.net)
Date: 05/01/02


Date: Wed, 1 May 2002 14:23:34 -0400
From: Matt Bing <mbing@nfr.net>
To: "Taylor, Stephen" <STEPHEN.TAYLOR@saic.com>

Taylor, Stephen said:
> All the replies are great. My understanding: the NIC has firmware to copy
> the bits from the wire into card memory. There is a DMA or similar process
> to stream the data into CPU memory. At some point, we have a packet. The
> IDS (driver?) issues a libpcap or uses a proprietary call to obtain the
> packets from processor memory. I have got this wrong, I just don't know
> why.

Sometimes. bpf works by copying the packet from kernel-space
into user-space. A speed-up many propietary IDSs use is to re-map
the packet directly into user-space, saving the expensive copy
operation. This technique is often refered to as a "zero-copy bpf".

-- 
Matt Bing
NFR Security
Rapid Response Team