Best practice for Snort with pcap file?

[Nishant Bhat via Snort-users <snort-users () lists snort org>]

(Noob question) I'm setting up Snort 3, and the manual shows both how to
set up Snort to listen to live traffic on a network interface, and how to
have Snort inspect a packet capture file. I'm wondering which of these
configurations is a better practice? I see more examples of the
pcap-inspection setup, so I'm assuming this is what tends to get used. It
also seems like this is the only way to take advantage of Snort 3's
multithreading.

In this case, do people usually set up a separate instance of tcpdump to
capture packets? If so, how do you avoid having the pcap file use all your
disk space? Thanks in advance!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!