[Snort-users] how snort and ip forwarding fit together

Matt Kettler mkettler at ...4108...
Fri Jan 25 11:46:08 EST 2002

Snort does not pick up IP packets per se.. Snort picks up ethernet frames 
using libpcap. From a my understanding (which is probably not exactly 
correct, but is functionally correct as best I know) pcap is more-or-less 
an ethernet level library. I view it as seeing traffic between the ethernet 
device driver and the bottom of the network stack. I suspect that 
technically speaking pcap attaches to the bottom layer of the network stack 
and gets to see copies of the packets right after it receives them, or 
right before it sends them to the device driver, but the differences are 
minor details and doesn't really impact what is seen or not seen. For that 
matter it could attach to the top of the device driver, but the net result 
would be the same..

So for packets from eth0 with snort listening on eth1, snort will see 
packets after they have been input filtered for eth0, passed up the IP 
stack, been forwarded, passed down the IP stack, through any output ip 
filtering for eth1, and will see them as they are passed to the ethernet 
driver for transmit.

As far as polling vs kernel signals goes, if it works the way I think it 
does it is really neither but has some aspects of both. It's blocking IO, 
not callbacks or polling.

As best I can tell, snort/pcap/linux work together the way most blocking IO 
operations are handled in Linux. Snort calls a read function, that read 
function blocks and puts the calling thread to sleep. When data arrives the 
kernel wakes the sleeping thread by triggering the object it is blocking on 
(often from the interrupt handler or another function that was sleeping and 
was woken by the interrupt handler). Snort wakes up, processes, calls read 

I could be wrong so if I am, please someone feel free to correct me.

At 06:39 PM 1/25/2002 +0000, you wrote:

>I am using snort on lrp oxygen & Mandrake(set up as router too).
>Snort is sniffing on eth1 & I am flooding traffic from a test system
>into eth0. I believe that snort picks up the ip packets from the
>memory after the ip forwarding function in the kernel puts them
>in the memory( eth1 outbound queue).
>Does snort work in a polling fashion or the kernel signals the
>snort process each time it puts the packet in the memory ?
>Or I've got it totally wrong !!:)
>any suggestions !

More information about the Snort-users mailing list