[Snort-users] Why does snort on Linux report this?
cpw at ...440...
Sun Nov 12 21:57:16 EST 2000
I don't have a complete answer for you. But, the message is not based on
any knowledge of the packet capture mechinism employed by the particular
pcap library. It is the result of running a print statement between
an #ifdef LINUX / #endif.
I found a libpcap implimentation which uses a shared memory (kernel/pcap
process) ring buffer. If the kernel cannot put a packet on the ring,
it increments a packet lost count. A fast cpu, large ring buffer and
judicious rule selection makes it possible to keep up with a 100Mbit
network (FDDI in my case), as long as the packets per second is not
pegged at the max for long periods. Spikes can be accomodated by a
10,000 or more packet ring buffer. The processing delta between each
packet is a factor. If you scan each packet for an 80 byte string,
for each rule. And you have 1000 rules, I'd imagine packet loss would
begin to appear %^).
I'm using two variants of this ring buffer mechanism. One was available
in linux-2.2.* as a kernal patch provided by:
The second is available in linux-2.4.* as part of the source code.
Both are supported by a patch to libpcap-0.4. You can find this stuff at:
a mirror of ftp://ftp.inr.ac.ru/ip-routing/lbl-tools/
This is old stuff. There is an effort to clean up libpcap/tcpdump going
on at tcpdump.org. I don't know if they folks involved are going to
integrate an interface to the shared memory ring stuff found in:
Hope this helps,
On Mon, Nov 13, 2000 at 09:10:03AM +1300, Jason Haar wrote:
> When I run snort in non-daemon mode and shut it down with Ctrl-C, it reports
> Snort received 43 packets.
> Packet loss statistics are unavailable under Linux. Sorry!
> What's missing in Linux that stops that working? Sounds to me like a bit of
> a hole. I mean, doesn't that mean that anyone using snort under Linux won't
> ever know if their system is dropping packets and therefore potentially
> missing attacks/etc?
> Jason Haar
> Unix/Special Projects, Trimble NZ
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
Phil Wood, cpw at ...440...
More information about the Snort-users