[Snort-users] OpenPcap()

Gentoo-Wally gentoowally at ...11827...
Tue Jun 20 15:05:09 EDT 2006


Thx. So do you think a jump from 25% usage in 2.4.5 to 90% usage in
2.6.0 on a machine with 1Gb ram should be expected?

On 6/20/06, Joel Esler <joel.esler at ...1935...> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Snort 2.6 uses more memory than it's predecessors.  The OpenPcap msg you
> saw is normal, it's just telling you that there is no IP assigned to the
> sniffing interface (eth0).  Which, if you are using a promisc card
> interface with no IP, is exactly what you want...
>
> Joel
>
> Gentoo-Wally wrote:
> > I've started looking at snort 2.6.0 and have run into something strange.
> >
> > Compile info:
> > 1. gcc 4.1.1
> > 2. ./configure --enable-dynamicplugin --enable-dependency-tracking
> > --with-libpcap-includes=/usr/include/
> > --with-libpcap-libraries=/usr/lib/
> > 3. Have tried libpcap 0.9.4 and the current version of phil woods libpcap
> > 4. Gentoo Linux box
> > 5. 'ifconfig eth0 up promisc' to bring the interface up
> >
> > No errors during ./configure && make && make install
> >
> > when I start snort it hangs for 15-30 seconds at...
> >
> > Initializing Network Interface eth0
> > OpenPcap() device eth0 network lookup:
> >         eth0: no IPv4 address assigned
> > Decoding Ethernet on interface eth0
> >
> >
> > I'm starting it like this..
> >
> > /usr/local/bin/snort -i eth0 -u snort -l /var/log/snort -c
> > /usr/local/etc/snort/snort.conf
> >
> > also tried...
> >
> > /usr/local/bin/snort -i eth0 -l /var/log/snort -c
> > /usr/local/etc/snort/snort.conf
> >
> >
> > At this point memory consumption sky rockets to 95% usage even with
> > all preprocessors except flow turned off. After about 30 seconds it
> > finishes initializing and appears to work correctly but at 95% memory
> > consumption and swap usage begins kicking in.
> >
> > I googled the OpenPcap message but found nothing that seems relevant
> > to my situation.
> >
> > I also have a snort 2.4.5 install on the same box. When it starts I do
> > not see the OpenPcap message and it works flawlessly at around 18-24%
> > mem usage with all preprocessors on.
> >
> > I also tried compiling 2.6.0 without the new dynamic preprocessors or
> > the dep tracking and I still get the openpcap message and crazy mem
> > usage.
> >
> > Any ideas?
> >
> > Wally
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> - --
> +---------------------------------------------------------------------+
> Joel Esler           Senior Security Consultant         1-706-627-2101
> Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
> Snort - Open Source Network IPS/IDS -- http://www.snort.org
> GPG Key http://demo.sourcefire.com/jesler.pgp.key
> +---------------------------------------------------------------------+
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFEmBrGKbCSyXHckt4RAq9HAJ45D9emK3cHcWf7WoR+Ex1DmykHlQCgovM3
> cxap2QpG64S7+k8Tr2UOvLQ=
> =xdKQ
> -----END PGP SIGNATURE-----
>




More information about the Snort-users mailing list