Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux & Pcap ... :-(

From: "Lawrence Reed" <Lawrence.Reed () noaa gov>
Date: Wed, 05 Feb 2003 15:05:41 +0000
No, I don't think the turbo packet patch is necessary in the 2.4 kernels.
In my environment ( stock RedHat 7.3) if I use the RH supplied libpcap I do not get any dropped stats at all. If I use the pcap from tcpdump.org, I have the same issue as Keven. When I use Phil Woods pcap ( libpcap-0.8.1104 ) everything seems to work OK. 
FYI: I am running snort 2.0 build 49 if that makes any difference


Paul B. Poh wrote:


Hi Lawrence,

Did you happen to also install Phil's turbopacket patch?
I was just looking at the patch and if I read the code properly, it looks like he replaces portions of packet_getsockopt() including the code that resets the packet stats structure.
I'm guessing that it's probably the turbopacket patch as opposed to the modified libpcap that will cure Kevin's issue. :-) 

Paul.

Lawrence Reed wrote:


Kevin,
Compile snort with the libpcap from Phil Wood. This works for me and improves performance as well ( ring buffer support). 

http://public.lanl.gov/cpw/

Kevin Peuhkurinen wrote:
So I'm trying to make up a script that will show my bosses the daily stats dump resulting from a SIGUSR1 to Snort. Unfortunately, it appears that when Snort calls libpcap to get the its stats, libpcap thereafter resets them to zero. So, the next time I do a SIGUSR1, the 'breakdown by protocol' shows > 100% because Snort keeps track of the individual protocol stats but gets the percentage based on the numbers provided by libpcap. 


[snipped]



--
Larry Reed  Lawrence.Reed () noaa gov
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772





-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: