Packet sniffer tweaks.

[John]

So does anyone have any tips for creating a good packet sniffer system 
for something like snort or maybe ntop? I know irq usage is going to be high
(like around 2-4k/s) per interface, so would that lead me to using polling?
I'm also using fxp cards and found the link0 should help reduce the interrupt 
load on the cpu. So should this be used (with|instead of) polling etc etc.
btw i also found these sysctl vals.
debug.bpf_bufsize
debug.bpf_maxbufsize

Any input would be great, thanks!