I have 2 dual xeon 1gb systems each with a 136GB scsi disk available for
use. The load is a minimal RedHat 4 installation with any other services
I can shutoff, disabled via chkconfig.
>From what I have read the biggest concern is when the packets are sent
from the kernel to user-land which can cause dropped packets (found some
papers on pf-ring but they are old and I am unsure if this concern has
not been addressed in later code to the kernel).
When the data is sent to userland is it on a per-app basis or is there
some internal socket that userland apps have access to for reading?
If there is some internal socket that apps read from then I would think
that the number of apps reading from that socket would only impact cpu
and memory usage for the most part and not lead to more dropped packets
as there is only a single transfer from the kernel to userland.
Therefore, under the same assumption, I could run two instances of
tethereal and an instance of, say snort without causing more dropped
packets.
I figure I will know soon enough once I build the systems but I was
hoping someone had a link (I read the ethereal wiki and some others
already) that answered this.
Thanks,
Greg