[Snort-users] Snort as Gigabit Sensor
frank at ...9761...
Thu Jul 31 14:20:04 EDT 2003
On Thu, 2003-07-31 at 16:02, Chris Green wrote:
> > Let me ask you this then... is the pcap loop buffered? Does libpcap
> > buffer packets itself (internally being multi-threaded)? If not, having
> > at least the acquisition separated and buffered should help Snort not to
> > drop packets when it is busy logging to the database.
> Welcome to why barnyard is a separate process :> small disk writes
> are cheap and buffered by OS, let the pending stuff happen in snort.
Touche. Still didn't answer my question though :) How much buffering
occurs in libpcap?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-users