[Snort-users] Re: My Linux libpcap

Phil Wood cpw at ...440...
Wed May 21 07:44:07 EDT 2003


Take a look at the README.ring and read the discussion about "to_ms".

Then, try:
  now=`date +'%s'`
  future=`expr $now + 60`
  PCAP_TIMEOUT=$future PCAP_STATS=0x1fff PCAP_FRAMES=max PCAP_PERIOD=10000 PCAP_VERBOSE=1 PCAP_TO_MS=0 tcpdump -i eth0 -s 1514 -w /dev/null

If you do not see something like the following, than something else is wrong.

tcpdump: WARNING: eth1: no IPv4 address assigned
libpcap version: 0.8
Kernel filter, Protocol 0300, MMAP mode (32768 frames, snapshot 1514), socket type: Raw
tcpdump: listening on eth1, capture size 1514 bytes
S:1053528027.575273 119584 0 119565 0 119009 65223982 64775751 0 22082 613 0 000000010.000038
S:1053528037.575311 120764 0 120764 0 121294 66179257 65641177 0 11774 27 0 000000010.000006
S:1053528047.575317 116232 0 116232 0 115895 66244610 66092203 0 29702 23 0 000000010.000062
S:1053528057.575379 124922 0 124922 0 123642 70961130 70897915 0 23552 17 0 000000010.000257
S:1053528067.575636 122348 0 122348 0 123910 69414289 68198439 0 14828 142 0 000000010.000025
S:1053528077.575661 121811 0 121811 0 121319 69319285 69162909 0 5567 29 0 000000010.000091
S:1053528087.575752 5830 0 5830 0 0 0 3411412 0 11397 9 0 000000000.424249
tcpdump: pcap_loop: User specified timeout occured

731478 packets received by filter
0 packets dropped by kernel


You probably should read both README.linux and README.ring, and make
sure you have the correct kernel configuration, or MMAP mode will not
show up in the verbosity above.

Later,

Phil
http://public.lanl.gov/cpw

On Wed, May 21, 2003 at 10:22:22AM +0200, Lionel CONS wrote:
> Hello,
> 
> I'm trying to use your version of libpcap (libpcap-0.8.030331.tar.gz)
> but I found something strange. My program is now using 99% of the CPU
> while it was around 20% before, when using the system's libpcap. This
> machine is running Red Hat Linux 7.3 with a 1.6 GHz CPU.
> 
> I then tried on another machine seeing the same traffic and the
> program is still 99% CPU while the processor is 2.4 GHz. Both capture
> roughly the same number of packets. Is it possible that there is a bug
> (feature) in your version that makes libpcap actively polling for
> packets instead of being blocked with something like select()?
> 
> Thanks in advance for your help,
> __________________________________________________________
> Lionel Cons        http://cern.ch/lionel.cons
> CERN               http://www.cern.ch




More information about the Snort-users mailing list