Snort mailing list archives
Re: Mmapped Capture on Linux
From: Mike Lococo <mikelococo () gmail com>
Date: Thu, 12 Aug 2010 17:57:17 -0400
It looks like the later versions will use mmap if possible. A crude way to check on linux: run this before and after starting Snort: grep -i mapped /proc/meminfo
The mapped allocation grows a bit and then bounces around after enabling snort. Prior to enabling snort, it's quite stable. I assume this means that we're using mmapped collection already.
BTW, you can go to Snort 2.9.0 and use afpacket. That uses mmap and works with live traffic both passive and inline. :)
I'll have a peak at this. I'm still seeing ~ 10% packet loss at 50mbit/sec on a fairly monstrous box with very little CPU usage. I'll also have to look into kernel-tuning a bit. I've been spoiled by Endace Dag cards on high-bandwidth links. Monitoring a measly 150 megabits on a commodity ethernet card seems difficult by comparison. Thanks for your help. Cheers, Mike Lococo ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Mmapped Capture on Linux Mike Lococo (Aug 11)
- Re: Mmapped Capture on Linux Russ Combs (Aug 12)
- Re: Mmapped Capture on Linux Mike Lococo (Aug 12)
- Re: Mmapped Capture on Linux beenph (Aug 12)
- Re: Mmapped Capture on Linux beenph (Aug 13)
- Re: Mmapped Capture on Linux Russ Combs (Aug 13)
- Re: Mmapped Capture on Linux beenph (Aug 13)
- Re: Mmapped Capture on Linux Michael Altizer (Aug 13)
- Re: Mmapped Capture on Linux Mike Lococo (Aug 12)
- Re: Mmapped Capture on Linux Russ Combs (Aug 12)