[Snort-users] PF_RING question

Dennis Henderson hendo at ...3663...
Wed Jun 22 20:17:44 EDT 2005

Is there anyone out there using PF_RING for your snort setup?

I seem to have it compiled into the kernel and have a modified libpcap that

The problem is that I think that PF_RING is only letting me see 68 bytes of
every packet.

I'm using env vars  PCAP_FRAMES=max and PCAP_SNAPLEN=1514 but when I
actually sniff the traffic using tcpdump with a -s 1514, I don't see packets
bigger than 68 bytes.

Have any of you clueful persons out there seen this behavior?



More information about the Snort-users mailing list