Im trying to implement some fast packet capturing mechanisims.
I am using snort(which I believe the pattern match functionality is the main bottle neck)
and a modified libpcap.
Some of the thing I am reading say to have an additonal NIC card that for capturing packets. The card is supposed to be IP'less and not able to transmit packets.
Now I got the IP'less part but I am unable to determine how to configure a card to not transmit packets. When I rebuild the kernel(2.6.6) I cannot find anything under network options or anywhere for this.
Can anyone shed light on this?

Also I am looking to maybe try real time linux (rtlinux) and I was wondering if anyone knew anything regarding improved performances with this. Since snort has been the bottleneck I am assuming it would run with the highest priority and be non-preemptible but will that really make a difference?

Any other ideas on speeding up packet capturing and processing would be greatly appreciated. So far I have to limit myself to what I can use with snort. I have managed to get it to not drop packets at up to about 300 Mb/s but I really want to break the 500 Mb/s.

Any other technologies I should look at?

Thanks