Darren Reed <darrenr@reed.wattle.id.au> writes:
> > I don't know about divert sockets, but I see two alternatives:
> > 1) the standard bpf interface  as used e.g. by IDS systems like
> >    snort (it's in pkgsrc)
> 
> divert isn't as lossy as bpf is.

Er, at some point any such mechanism will fill its queues. It is just
a question of policy. If you need more buffering because of transient
scheduling issues, you can increase the size of the buffering bpf has
available. If you can't process the packets as fast as they appear, no
amount of buffering will help.

Remember, btw, the network itself is lossy.

To my mind, bpf is sufficient. Hell, NFR uses it and that's the best IDS
I know.

--
Perry E. Metzger		perry@wasabisystems.com
--
NetBSD Development, Support & CDs. http://www.wasabisystems.com/