when sniffing a busy network, or a switchs monitor port?
You may be losing some packets, either at the switch’s monitor port (mirroring ten 100 Mbit Ethernet ports to a single port is never a good idea) or within libpcap – anathema to libnids, which needs to see all packets in a connection for strict reassembly. Try enabling dsniff’s best-effort half-duplex TCP stream reassembly (dsniff -c) instead. Other general performance enhancements for sniffing include: • SMP, which on most OSs results in only one processor handling the high interrupt load, leaving the other to do real work • good NICs and drivers with working DMA • large kernel buffers for efficient packet capture (OpenBSD’s BPF already does this) • custom kernel support for single-copy packet capture (e.g.
