[Snort-users] Why does snort on Linux report this?

Phil Wood cpw at ...440...
Sun Nov 12 21:57:16 EST 2000


I don't have a complete answer for you.  But, the message is not based on
any knowledge of the packet capture mechinism employed by the particular
pcap library.  It is the result of running a print statement between
an #ifdef LINUX / #endif.

I found a libpcap implimentation which uses a shared memory (kernel/pcap
process) ring buffer.  If the kernel cannot put a packet on the ring,
it increments a packet lost count.  A fast cpu, large ring buffer and
judicious rule selection makes it possible to keep up with a 100Mbit
network (FDDI in my case), as long as the packets per second is not
pegged at the max for long periods.  Spikes can be accomodated by a
10,000 or more packet ring buffer.  The processing delta between each
packet is a factor.  If you scan each packet for an 80 byte string,
for each rule.  And you have 1000 rules, I'd imagine packet loss would
begin to appear %^).

I'm using two variants of this ring buffer mechanism.  One was available
in linux-2.2.* as a kernal patch provided by:

  kernel-turbopacket.dif.gz

The second is available in linux-2.4.* as part of the source code.

Both are supported by a patch to libpcap-0.4.  You can find this stuff at:

  ftp://ftp.src.uchicago.edu/pub/linux/ip-routing/lbl-tools/

a mirror of ftp://ftp.inr.ac.ru/ip-routing/lbl-tools/

This is old stuff.  There is an effort to clean up libpcap/tcpdump going
on at tcpdump.org.  I don't know if they folks involved are going to
integrate an interface to the shared memory ring stuff found in:

  /usr/src/linux/net/packet/af_packet.c

Hope this helps,

Phil


On Mon, Nov 13, 2000 at 09:10:03AM +1300, Jason Haar wrote:
> When I run snort in non-daemon mode and shut it down with Ctrl-C, it reports 
> 
> 
> Snort received 43 packets.
> Packet loss statistics are unavailable under Linux.  Sorry!
> 
> 
> What's missing in Linux that stops that working? Sounds to me like a bit of
> a hole. I mean, doesn't that mean that anyone using snort under Linux won't
> ever know if their system is dropping packets and therefore potentially
> missing attacks/etc?
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Phil Wood, cpw at ...440...




More information about the Snort-users mailing list