[Snort-users] libpcap for linux with MMAP capabilities
cpw at ...440...
Fri Mar 22 13:38:05 EST 2002
This message is for savey linux/snort users who might have heard rumblings
about a shared memory ring buffer originally made possible by Alexey Kuznetsov.
I've been using his implimentation in a modified form for some time, and
recently made a patchfile using the libpcap-current found at tcpdump.org.
That was on Mar 20, 2002. If you want to try snort and/or tcpdump with
these new changes I would take a look at the attached script to build
a libpcap with the MMAP capability.
On the otherhand, you could wait for tcpdump.org to verify the patches I
have submitted and then try it.
Onwards and upwards,
Phil Wood, cpw at ...440...
-------------- next part --------------
cat << EOF | more
If your kernel is not 2.4.* or you have not built a kernel with the following
you will need to do so before proceeding.
Once you have the above described kernel, you will have to make sure that the
are from the kernel you have built.This can be accomplished by:
mv linux linux.bak
mv asm asm.bak
ln -s /usr/src/linux/include/linux linux
ln -s /usr/src/linux/include/asm asm
echo -n "If you have this setup, please type the word 'proceed': "
if [ x"$proceed" != "xproceed" ]; then echo "Bye"; exit 1; fi
# the md5 for my patch is 37b311044448c36caeb0f57a3e774de9
tar -zxf libpcap-current.tar.gz
ln -s libpcap-2002* libpcap
patch -p 1 < ../libpcap-mmap.patch
tar -zxf tcpdump-current.tar.gz
ln -s tcpdump-*[0-9] tcpdump
tar -zxf $SNORT_RELEASE.tar.gz
if [ ! -f configure.orig ]; then cp configure configure.orig; fi
sed -e 's#/usr/include/pcap#../libpcap#' < configure.orig > configure
echo "as root:"
echo "PCAP_VERBOSE=1 PCAP_FRAMES=max ./$SNORT_RELEASE/snort -vn 1"
echo "To learn more see:"
echo " workplace/libpcap/README.linux"
echo " workplace/libpcap/README.ring"
More information about the Snort-users