[Snort-devel] snort option [-n packet-count ]

Steve Sturges (ststurge) ststurge at ...3461...
Thu May 22 10:25:59 EDT 2014


On May 21, 2014, at 11:49 PM, "ratheesh kannoth" <ratheesh.ksz at ...2499...> wrote:
> 
> Hi list,
> 
> I am working on a daq layer implementation. I have zero copy from
> driver and will send packet to snort thru daq layer. i have two
> questions.
> 
> 1. what is the advantage of mentioning packet-count ? because  in
> Daq_Acquire() function ,  daq layer has to call  the call back
> function of snort  and  act on verdict. It is all serial ( one packet
> at a time ). ?
> 
Yes, one packet at a time.
Once snort is finished with a packet, it returns from callback to the daq module and waits for next packet.

> 2. In DAQ layer, i have to fill   DAQ_PktHdr. i could see that
> hdr.egress_index  is filled as -1 in  some implementation (
>       like in PF_RING DAQ ). what is its significance ?
> 
That is up to the daq module... Basically If inline, that is the id (arbitrary per daq module) of the interface where packets are sent out.  If passive, it isn't set.
> 
> -Ratheesh
> 
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list