[Snort-users] libpcap for linux with MMAP capabilities

Phil Wood cpw at ...440...
Fri Mar 22 13:38:05 EST 2002


Folks,

This message is for savey linux/snort users who might have heard rumblings
about a shared memory ring buffer originally made possible by Alexey Kuznetsov.

I've been using his implimentation in a modified form for some time, and
recently made a patchfile using the libpcap-current found at tcpdump.org.
That was on Mar 20, 2002.  If you want to try snort and/or tcpdump with
these new changes I would take a look at the attached script to build
a libpcap with the MMAP capability.

On the otherhand, you could wait for tcpdump.org to verify the patches I
have submitted and then try it.

Onwards and upwards,

-- 
Phil Wood, cpw at ...440...
-------------- next part --------------
#!/bin/sh

cat << EOF | more

NOTE:

If your kernel is not 2.4.* or you have not built a kernel with the following
configuration options:

CONFIG_PACKET_MMAP
CONFIG_PACKET
CONFIG_FILTER

you will need to do so before proceeding.

Once you have the above described kernel, you will have to make sure that the
two directories:

/usr/include/linux
/usr/include/asm

are from the kernel you have built.This can be accomplished by:

cd /usr/include
mv linux linux.bak
mv asm asm.bak
ln -s /usr/src/linux/include/linux linux
ln -s /usr/src/linux/include/asm asm

EOF
echo
echo -n "If you have this setup, please type the word 'proceed': "
read proceed
if [ x"$proceed" != "xproceed" ]; then echo "Bye"; exit 1; fi

set -e

PHILS=http://public.lanl.gov/cpw
TCPDUMP_ORG=http://www.tcpdump.org/daily
SNORT=http://www.snort.org/dl
SNORT_RELEASE=snort-1.8.4
mkdir workplace
cd workplace

wget $PHILS/libpcap-mmap.patch
# the md5 for my patch is 37b311044448c36caeb0f57a3e774de9
wget $TCPDUMP_ORG/libpcap-current.tar.gz
tar -zxf libpcap-current.tar.gz
ln -s libpcap-2002* libpcap
pushd libpcap
patch -p 1 < ../libpcap-mmap.patch
aclocal
autoconf
autoheader
automake
./configure --prefix=/usr/local
make
popd

wget $TCPDUMP_ORG/tcpdump-current.tar.gz
tar -zxf tcpdump-current.tar.gz
ln -s tcpdump-*[0-9] tcpdump
pushd tcpdump
./configure --prefix=/usr
make
popd

wget $SNORT/$SNORT_RELEASE.tar.gz
tar -zxf $SNORT_RELEASE.tar.gz
pushd $SNORT_RELEASE
if [ ! -f configure.orig ]; then cp configure configure.orig; fi
sed -e 's#/usr/include/pcap#../libpcap#' < configure.orig > configure
./configure \
  --prefix=/usr/local \
  --with-libpcap-libraries=../libpcap
make
popd

./$SNORT_RELEASE/snort -V
echo "as root:"
echo ""
echo "PCAP_VERBOSE=1 PCAP_FRAMES=max ./$SNORT_RELEASE/snort -vn 1"
echo "To learn more see:"
echo "  workplace/libpcap/README.linux"
echo "  workplace/libpcap/README.ring"



More information about the Snort-users mailing list