[Snort-users] Kernel space Snort. Proof of concept test succeeded.

Willem de Bruijn wdebruij at ...1580...
Wed Sep 15 11:36:39 EDT 2004

Hi Alex,
> Was the user-mode Snort using Phil Wood's libpcap
> <http://public.lanl.gov/cpw/> or an older version without MMAP mode
> support?

we compared against regular (0.8.3) pcap, so Phil Wood's version should be 
considerably faster. However, speed-ups can still be obtained by running in 
the kernel due to fewer context switches and no need for copying a packet 
into the memory mapped area.


More information about the Snort-users mailing list