[Snort-users] how snort and ip forwarding fit together
mkettler at ...4108...
Fri Jan 25 11:46:08 EST 2002
Snort does not pick up IP packets per se.. Snort picks up ethernet frames
using libpcap. From a my understanding (which is probably not exactly
correct, but is functionally correct as best I know) pcap is more-or-less
an ethernet level library. I view it as seeing traffic between the ethernet
device driver and the bottom of the network stack. I suspect that
technically speaking pcap attaches to the bottom layer of the network stack
and gets to see copies of the packets right after it receives them, or
right before it sends them to the device driver, but the differences are
minor details and doesn't really impact what is seen or not seen. For that
matter it could attach to the top of the device driver, but the net result
would be the same..
So for packets from eth0 with snort listening on eth1, snort will see
packets after they have been input filtered for eth0, passed up the IP
stack, been forwarded, passed down the IP stack, through any output ip
filtering for eth1, and will see them as they are passed to the ethernet
driver for transmit.
As far as polling vs kernel signals goes, if it works the way I think it
does it is really neither but has some aspects of both. It's blocking IO,
not callbacks or polling.
As best I can tell, snort/pcap/linux work together the way most blocking IO
operations are handled in Linux. Snort calls a read function, that read
function blocks and puts the calling thread to sleep. When data arrives the
kernel wakes the sleeping thread by triggering the object it is blocking on
(often from the interrupt handler or another function that was sleeping and
was woken by the interrupt handler). Snort wakes up, processes, calls read
I could be wrong so if I am, please someone feel free to correct me.
At 06:39 PM 1/25/2002 +0000, you wrote:
>I am using snort on lrp oxygen & Mandrake(set up as router too).
>Snort is sniffing on eth1 & I am flooding traffic from a test system
>into eth0. I believe that snort picks up the ip packets from the
>memory after the ip forwarding function in the kernel puts them
>in the memory( eth1 outbound queue).
>Does snort work in a polling fashion or the kernel signals the
>snort process each time it puts the packet in the memory ?
>Or I've got it totally wrong !!:)
>any suggestions !
More information about the Snort-users