Snort mailing list archives
Re: Mmapped Capture on Linux
From: beenph <beenph () gmail com>
Date: Thu, 12 Aug 2010 19:05:40 -0400
For the general information since 2.6.34 Mabey it could have been earlyer but the kernel dosen't need to be compiled with mmap socket I/O support, its now built-in. http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.34.y.git;a=commit;h=889b8f964f2f226b7cd5a0a515109e3d8d9d1613 -elz On Thu, Aug 12, 2010 at 5:57 PM, Mike Lococo <mikelococo () gmail com> wrote:
It looks like the later versions will use mmap if possible. A crude way to check on linux: run this before and after starting Snort: grep -i mapped /proc/meminfoThe mapped allocation grows a bit and then bounces around after enabling snort. Prior to enabling snort, it's quite stable. I assume this means that we're using mmapped collection already.BTW, you can go to Snort 2.9.0 and use afpacket. That uses mmap and works with live traffic both passive and inline. :)I'll have a peak at this. I'm still seeing ~ 10% packet loss at 50mbit/sec on a fairly monstrous box with very little CPU usage. I'll also have to look into kernel-tuning a bit. I've been spoiled by Endace Dag cards on high-bandwidth links. Monitoring a measly 150 megabits on a commodity ethernet card seems difficult by comparison. Thanks for your help. Cheers, Mike Lococo ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Mmapped Capture on Linux Mike Lococo (Aug 11)
- Re: Mmapped Capture on Linux Russ Combs (Aug 12)
- Re: Mmapped Capture on Linux Mike Lococo (Aug 12)
- Re: Mmapped Capture on Linux beenph (Aug 12)
- Re: Mmapped Capture on Linux beenph (Aug 13)
- Re: Mmapped Capture on Linux Russ Combs (Aug 13)
- Re: Mmapped Capture on Linux beenph (Aug 13)
- Re: Mmapped Capture on Linux Michael Altizer (Aug 13)
- Re: Mmapped Capture on Linux Mike Lococo (Aug 12)
- Re: Mmapped Capture on Linux Russ Combs (Aug 12)