[Snort-users] Snort as Gigabit Sensor

Chris Green cmg at ...1935...
Thu Jul 31 14:09:07 EDT 2003


Frank Knobbe <frank at ...9761...> writes:

> Let me ask you this then... is the pcap loop buffered? Does libpcap
> buffer packets itself (internally being multi-threaded)? If not, having
> at least the acquisition separated and buffered should help Snort not to
> drop packets when it is busy logging to the database.

Welcome to why barnyard is a separate process :>  small disk writes
are cheap and buffered by OS, let the pending stuff happen in snort.
-- 
Chris Green <cmg at ...1935...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-users mailing list