[Snort-users] simultaneous snort and tcpdump

Gary Flynn flynngn at ...6811...
Fri Sep 20 11:31:18 EDT 2002


Bennett Todd wrote:
> 
> In testing, I've run both snort and tcpdump (and other libpcap based
> sniffing programs) concurrently against the same promisc interface,
> and even concurrently used that same interface for real network
> interaction.
> 
> As far as I know, you can just run your snort and your tcpdump at
> the same time; while the performance consequences might not be
> ideal, I suspect they'd be better than one tcpdump teeing to a fifo
> for snort then piping into another tcpdump.

My experiences are the same as Bennett's. I've got ntop and
snort running on the same interface and they seem to be
sharing it fine.

When I first contemplated doing this, I did some superficial
research that suggested to me that this wouldn't be a problem.
After diving through pcap code and then into the kernel
network handling code, I came to the conclusion that all
pcap applications have a PF_SOCKET open whose packet_rcv()
functions are sequentially called by the kernel.

This seems to be very nicely documented in the following two
articles:

http://www.linuxjournal.com/article.php?sid=4852
and
http://www.linuxjournal.com/article.php?sid=5617


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe




More information about the Snort-users mailing list