The performance of the DAQ Layer
In addition to the functionality of packet I/O (delivery and transmission), there is another crucial requirement – namely, the performance aspect of this functionality. The packet data must be delivered most efficiently, taking as few CPU cycles as possible. This is important both in offline and inline scenarios.
Factors affecting packet capture performance
From an operational point of view, if the performance of a DAQ is at an undesirable level, it will result in degraded performance for an IDS and/or an IPS. The common factors that affect the performance of packet capture include the following:
- Kernel–user space context switching: Since programs such as Snort run in the user space, a system call is required to retrieve the packet from the kernel space to the user space. This becomes an overhead during a high traffic load. This is the case with the pcap DAQ. This is solved using a memory-mapped buffer (between the kernel...
