[Snort-devel] libpcap mmap issues on Snort

Anand Raj Manickam anandrm at ...2499...
Fri Aug 8 03:12:58 EDT 2014


Hi,
This is a followup to the email thread - http://seclists.org/snort/2014/q3/547
I m running Snort on Mirror/SPAN port .
I have been facing a issue where the packets got internal
fragmentation / split on libpcap due which snort was failing to
Inspect packets.
When "HAVE_PACKET_RING" code was disabled in libpcap and rebuild ,
Snort was able to Inspect packets right.
But the issue post this was , i was able to run only one flow /
connection . Beyond a single connection , i was not able to interrupt
the snort process (Ctrl + C) fails to summarize the reports .

Thanks,




More information about the Snort-devel mailing list