[Snort-users] Snort as Gigabit Sensor

Frank Knobbe frank at ...9761...
Thu Jul 31 14:20:04 EDT 2003


On Thu, 2003-07-31 at 16:02, Chris Green wrote:
> > Let me ask you this then... is the pcap loop buffered? Does libpcap
> > buffer packets itself (internally being multi-threaded)? If not, having
> > at least the acquisition separated and buffered should help Snort not to
> > drop packets when it is busy logging to the database.
> 
> Welcome to why barnyard is a separate process :>  small disk writes
> are cheap and buffered by OS, let the pending stuff happen in snort.

Touche. Still didn't answer my question though :)  How much buffering
occurs in libpcap? 

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030731/d38534ca/attachment.sig>


More information about the Snort-users mailing list