Re: dropping packets

["Lawrence Reed" <Lawrence.Reed () noaa gov>]

Hugo wrote:
> It seems like I'm on a high traffic volume network and will probably need tp upgrade my libpcap to mmap, unfortunately, I 
> haven't got much success. I don't understand how to get Snort to use the new libpcap. Any pointers would be appreciated.
> I wonder how the sourcefire products solve this problem?
>
> Hugo

I assume you mean the libpcap from Phil Wood ( thanks Phil).
I build snort with the pcap libraries linked in statically as follows:

LDFLAGS=-static ./configure 
--with-libpcap-libraries=/path/to/philwood/pcap 
--with-libpcap-includes=/path/to/philwood/pcap

I also set the environment variable PCAP_FRAMES.
I use export PCAP_FRAMES=max in my snort startup script.

Using unified logging, a full ruleset, the above referenced pcap on a 
dual 2.8Ghz Xeon I have < 0.005% drops with traffic in excess of 300Mbs.

Larry


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users