[Snort-users] Tapping into the ring buffer

Milani Paolo Paolo.Milani at ...3258...
Tue Aug 23 02:19:18 EDT 2005

I may be wrong, but I think that each sniffing application creates a new packet socket, and this means that if you have, say, snort and tcpdump both sniffing the same traffic, each packet is queued into two socket queues (and gets copied. An additional copy is made to send the packet into the normal IP processing queue unless it is disabled for that interface). Phil wood's pcap then kicks in to avoid that each of these packets is copied again into user space (because the socket queue is memory mapped into user space and can be accessed directly).

Whatever the details are, since when an application gets access to the memory of a packet it can modify them (snort does that too, rpc_decode i think is an example), it would be unsafe not to make a different copy for each application.

Sharing access to the sniffed packets would require a rather large amount of tampering, either in the kernel or in the applications involved.

So having multiple sniffing applications will slow down snort.. how big a slowdown i guess you won't know until you try it out.


Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.

This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please send an e_mail to 
MailAdmin at ...13220... Thank you

More information about the Snort-users mailing list