Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenPcap()

From: Rob Munsch <rmunsch () solutionsforprogress com>
Date: Tue, 20 Jun 2006 15:50:14 -0400
Would i be wrong in guesstimating that the 2.4.5 is not running in 
promisc mode... and simply not getting as much traffic as the 2.6.0 is?

Gentoo-Wally wrote:


Thx. So do you think a jump from 25% usage in 2.4.5 to 90% usage in
2.6.0 on a machine with 1Gb ram should be expected?

On 6/20/06, Joel Esler <joel.esler () sourcefire com> wrote:
 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Snort 2.6 uses more memory than it's predecessors.  The OpenPcap msg you
saw is normal, it's just telling you that there is no IP assigned to the
sniffing interface (eth0).  Which, if you are using a promisc card
interface with no IP, is exactly what you want...

Joel

Gentoo-Wally wrote:
   


I've started looking at snort 2.6.0 and have run into something strange.

Compile info:
1. gcc 4.1.1
2. ./configure --enable-dynamicplugin --enable-dependency-tracking
--with-libpcap-includes=/usr/include/
--with-libpcap-libraries=/usr/lib/
3. Have tried libpcap 0.9.4 and the current version of phil woods libpcap
4. Gentoo Linux box
5. 'ifconfig eth0 up promisc' to bring the interface up

No errors during ./configure && make && make install

when I start snort it hangs for 15-30 seconds at...

Initializing Network Interface eth0
OpenPcap() device eth0 network lookup:
       eth0: no IPv4 address assigned
Decoding Ethernet on interface eth0


I'm starting it like this..

/usr/local/bin/snort -i eth0 -u snort -l /var/log/snort -c
/usr/local/etc/snort/snort.conf

also tried...

/usr/local/bin/snort -i eth0 -l /var/log/snort -c
/usr/local/etc/snort/snort.conf


At this point memory consumption sky rockets to 95% usage even with
all preprocessors except flow turned off. After about 30 seconds it
finishes initializing and appears to work correctly but at 95% memory
consumption and swap usage begins kicking in.

I googled the OpenPcap message but found nothing that seems relevant
to my situation.

I also have a snort 2.4.5 install on the same box. When it starts I do
not see the OpenPcap message and it works flawlessly at around 18-24%
mem usage with all preprocessors on.

I also tried compiling 2.6.0 without the new dynamic preprocessors or
the dep tracking and I still get the openpcap message and crazy mem
usage.

Any ideas?

Wally


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

     


- --
+---------------------------------------------------------------------+
Joel Esler           Senior Security Consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
GPG Key http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEmBrGKbCSyXHckt4RAq9HAJ45D9emK3cHcWf7WoR+Ex1DmykHlQCgovM3
cxap2QpG64S7+k8Tr2UOvLQ=
=xdKQ
-----END PGP SIGNATURE-----

   




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
 




-- 
Rob Munsch
Solutions For Progress IT
www.solutionsforprogress.com



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: