[Snort-users] Correct version of libpcap?

Erek Adams erek at ...950...
Mon Feb 2 15:05:18 EST 2004


On Mon, 2 Feb 2004, Sheahan, Paul wrote:

> I'm currently running Snort 2.0.5 build 98 on RHLinux 8.0, and in a
> previous post when I asked about Snort dropping packets, someone
> mentioned that I should be sure I'm using "Phil Wood's version of
> libpcap". Can someone point me to the appropriate version of libpcap
> that I should be runnning? I've already applied as many tweaks as I
> could think of, and want to rule this out next.

Ok, the short answer is 'Google is your friend'.  :)

Long answer--If you're not running on a Linux based system, then Phil's
patches aren't going to help since they aren't ported.  If you are on a
Linux based OS, then you can use the libpcap that he has and get a marked
performance increase.  He uses a ring buffer and some other black magic
mojo to make libpcap dance it's fool head off. :)

Cheers!

-----
Erek Adams

 "It looks just like a Telefunken U-47.  You'll love it..."  -- Frank Zappa




More information about the Snort-users mailing list