Snort mailing list archives
Re: Mmapped Capture on Linux
From: Russ Combs <rcombs () sourcefire com>
Date: Thu, 12 Aug 2010 11:36:44 -0400
On Wed, Aug 11, 2010 at 6:36 PM, Mike Lococo <mikelococo () gmail com> wrote:
Hi Folks, I'm interested to know if anyone has attempted to do mmaped capture with snort using the stock libpcap distribution. The manual still references Phil Woods rather old patches based on libpcap-0.9.8, and all of the web/mailing-list references I can find use that or various other old patches. According to the CHANGES file that ships with libpcap, it has supported memory-mapped capture on linux since 1.0.0: http://github.com/mcr/libpcap/blob/3c13ac2cc3e06899a8ed1aca3e88b2abebb02c9a/CHANGES Russ Combs recently suggested that snort has support for it in recent releases: http://seclists.org/snort/2010/q3/66 I'm having trouble finding documentation or any evidence of folks using this feature though. Does it require configuration to enable, or is it automatic as long as the kernel, libpcap, and snort version all support it? Is there a way to test and confirm that mmapped capture is being used on a given snort instance?
It looks like the later versions will use mmap if possible.
A crude way to check on linux: run this before and after starting Snort:
grep -i mapped /proc/meminfo
BTW, you can go to Snort 2.9.0 and use afpacket. That uses mmap and works
with live traffic both passive and inline. :)
Cheers, Mike Lococo ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Mmapped Capture on Linux Mike Lococo (Aug 11)
- Re: Mmapped Capture on Linux Russ Combs (Aug 12)
- Re: Mmapped Capture on Linux Mike Lococo (Aug 12)
- Re: Mmapped Capture on Linux beenph (Aug 12)
- Re: Mmapped Capture on Linux beenph (Aug 13)
- Re: Mmapped Capture on Linux Russ Combs (Aug 13)
- Re: Mmapped Capture on Linux beenph (Aug 13)
- Re: Mmapped Capture on Linux Michael Altizer (Aug 13)
- Re: Mmapped Capture on Linux Mike Lococo (Aug 12)
- Re: Mmapped Capture on Linux Russ Combs (Aug 12)