[Snort-devel] PATCH 1/1]: DAQ pcaprr module

Jeff Murphy jeff.murphy at ...2499...
Fri Apr 29 09:33:20 EDT 2011



We use Endace DAG cards in our sensors along with regen taps. Those cards don't work with the bonding driver, so merging the two streams from a regen tap isn't possible (unless we use a different tap or fix the drivers to work together). The attached patch creates a new module in the os-daq-modules directory called "pcaprr.c". This module will open multiple devices and then make round-robin reads from the device list (much like the bonding driver would if it worked with the DAG driver).  Modifications made against DAQ 0.5 code.

Example use:

/usr/sbin/snort --daq-dir=/usr/lib64/daq --daq pcaprr -i dag0:4,dag1:4 

I've been running this DAQ code for ~3 weeks now. 

jeff 
> 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110429/b3a8a220/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: daq_pcaprr.patch
Type: application/octet-stream
Size: 413670 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110429/b3a8a220/attachment.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110429/b3a8a220/attachment-0001.html>


More information about the Snort-devel mailing list