[Snort-devel] Snort vs. Libpcap versions.

Erek Adams erek at ...835...
Sat May 31 20:48:06 EDT 2003


On Sat, 31 May 2003, larosa, vjay wrote:

> Can anybody give me a clue as to what version of libpcap is recommended to
> be used with snort? I believe that I heard Marty say at last years SANS
> boston IDS class that the older 0.4 version is what he recommends. Then I
> believe while reading the new Snort 2.0 book from Syngress it says to use
> the latest and greatest version of libpcap. Any comments?

Both are right.  :)  Almost anything greater than 0.4 will be fine.  Be
careful with the CVS tarballs, I've had some folks who can't compile from
them.

If running on a Linux based system, you might want to check out Phil
Wood's "Burnt Offerings" [0].  You can find one very nice libpcap patch
for Linux 2.4.x kernels that adds MMAP, ring buffers and supports
TurboPacket.  From what people have said, there is usually a gain from
using the patches.  I don't run a Liunux based box so I haven't gotten a
chance to beat on it myself.

Hope that helps!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


[0]	http://public.lanl.gov/cpw/




More information about the Snort-devel mailing list