[Snort-users] Snort as Gigabit Sensor
cmg at ...1935...
Thu Jul 31 14:09:07 EDT 2003
Frank Knobbe <frank at ...9761...> writes:
> Let me ask you this then... is the pcap loop buffered? Does libpcap
> buffer packets itself (internally being multi-threaded)? If not, having
> at least the acquisition separated and buffered should help Snort not to
> drop packets when it is busy logging to the database.
Welcome to why barnyard is a separate process :> small disk writes
are cheap and buffered by OS, let the pending stuff happen in snort.
Chris Green <cmg at ...1935...>
Laugh and the world laughs with you, snore and you sleep alone.
More information about the Snort-users