Re: IDS, where the bits meet the bytes
From: Matt Bing (mbing@nfr.net)Date: 05/01/02
- Previous message: Kent Hundley: "RE: IDS, where the bits meet the bytes"
- In reply to: Taylor, Stephen: "RE: IDS, where the bits meet the bytes"
- Next in thread: Vitaly Osipov: "RE: IDS, where the bits meet the bytes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 May 2002 14:23:34 -0400 From: Matt Bing <mbing@nfr.net> To: "Taylor, Stephen" <STEPHEN.TAYLOR@saic.com>
Taylor, Stephen said:
> All the replies are great. My understanding: the NIC has firmware to copy
> the bits from the wire into card memory. There is a DMA or similar process
> to stream the data into CPU memory. At some point, we have a packet. The
> IDS (driver?) issues a libpcap or uses a proprietary call to obtain the
> packets from processor memory. I have got this wrong, I just don't know
> why.
Sometimes. bpf works by copying the packet from kernel-space
into user-space. A speed-up many propietary IDSs use is to re-map
the packet directly into user-space, saving the expensive copy
operation. This technique is often refered to as a "zero-copy bpf".
-- Matt Bing NFR Security Rapid Response Team
- Previous message: Kent Hundley: "RE: IDS, where the bits meet the bytes"
- In reply to: Taylor, Stephen: "RE: IDS, where the bits meet the bytes"
- Next in thread: Vitaly Osipov: "RE: IDS, where the bits meet the bytes"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
