[Snort-users] Snort output redirection buffered

JP Vossen vossenjp at ...8683...
Mon May 19 09:40:08 EDT 2003


It seems like Snort output is buffered quite a bit.  When running version
2.0.0 (Build 72) on Red Hat 8.0 2.4.18-27.8.0 as follows, the traffic is very
bursty:
	snort -vdCqi eth1 udp port 514 | SomeScript.pl
	snort -vdCqi eth1 udp port 514 | tee somefile

It seems like there is a buffer of between about 1500 - 2000 bytes.  Does that
make sense or is there someone else I'm missing?  Any way to turn it off w/o
patching the source?  If no, how hard would it be to patch the source (assume
I know almost nothing about C :-)?

Thanks,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows XP or better, so I installed
Linux..."






More information about the Snort-users mailing list