[Snort-users] I find it odd that this product would not be supported for SMP win2k machines

Matt Kettler mkettler at ...4108...
Wed Dec 4 10:52:03 EST 2002

Quite frankly, I've always been surprised that Snort supports Windows at 
all, but given that there is a port of pcap to windows it's not all that 
hard. Given that it's a popular platform the relatively low pain level of 
making a windows port makes it worthwhile having one.

However, let's face it. Snort is written from the ground up as a Unix 
application. The fact that it is somewhat portable to windows facilitates 
the existence of a windows version, but that was not an original design 
criteria of Snort as far as I know. It is a nice extra for it to be usable 
on both, but I don't think Marty sat down before writing Snort and said "If 
I'm going to do this it must run on Windows too". (Note: that's an opinion, 
I'm taking a loosely educated guess and am not trying to put words into 
Marty's mouth, he can feel free to correct me if he feels the need :))

Pcap is also a unix piece of software, which happens to have a windows 
port, but let's face it.. it also wasn't designed for Windows. It is THE 
standard for packet capture on unix platforms. Others exist, but let's face 
it, none have the same level of prevalence as pcap does.

It would be VERY nice to improve pcap's support for SMP windows sure, but 
that's really an issue to take up with the winpcap guys, not the Snort team.

As far as packet capture libs for Windows go... are there any out there 
besides winpcap that are free to use, much less open-source?

If you really want a program that will take the fullest advantage of a 
Windows system, you're probably better off with a piece of software that 
was written for Windows in the first place. It's damn near impossible to 
write a program that's optimal for both Windows and Unix platforms, and one 
is always going to be a compromise. The application interfaces for advanced 
programing are just way too different to have the same code work optimaly 
for both.

At 10:52 AM 12/4/2002 +0200, Tal wrote:

>I am working with SNORT with my win2k for few weeks now, only realizing it 
>is not working on SMP machines with windows installments few days ago.
>I was reading a lot of good reviews of this open source and I even 
>stumbled over a comparative analysis with the other tools currently 
>available on the market.
>I must say that although the problem originate from the winpcap usage and 
>not from any SNORT specific code, this problem raise a big question mark 
>as for the validity of using SNORT for windows (random blue screens or 
>forcing the usage of only one processor are not acceptable solutions imho).
>I am not trying to criticize SNORT nor do I intend to slander it. I am 
>just stating my disbelief that a product which for many seems a standard 
>would not support SMP with windows.
>Do you guys have any plans for replacing the winpcap library? Help in 
>fixing the winpcap SMP problems? Support any other packet capturing library?
>Thank you in advance.
>Tal Beno.

