[Snort-users] OpenPcap()

Rob Munsch rmunsch at ...13744...
Tue Jun 20 15:50:14 EDT 2006


Would i be wrong in guesstimating that the 2.4.5 is not running in 
promisc mode... and simply not getting as much traffic as the 2.6.0 is?

Gentoo-Wally wrote:

>Thx. So do you think a jump from 25% usage in 2.4.5 to 90% usage in
>2.6.0 on a machine with 1Gb ram should be expected?
>
>On 6/20/06, Joel Esler <joel.esler at ...1935...> wrote:
>  
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Snort 2.6 uses more memory than it's predecessors.  The OpenPcap msg you
>>saw is normal, it's just telling you that there is no IP assigned to the
>>sniffing interface (eth0).  Which, if you are using a promisc card
>>interface with no IP, is exactly what you want...
>>
>>Joel
>>
>>Gentoo-Wally wrote:
>>    
>>
>>>I've started looking at snort 2.6.0 and have run into something strange.
>>>
>>>Compile info:
>>>1. gcc 4.1.1
>>>2. ./configure --enable-dynamicplugin --enable-dependency-tracking
>>>--with-libpcap-includes=/usr/include/
>>>--with-libpcap-libraries=/usr/lib/
>>>3. Have tried libpcap 0.9.4 and the current version of phil woods libpcap
>>>4. Gentoo Linux box
>>>5. 'ifconfig eth0 up promisc' to bring the interface up
>>>
>>>No errors during ./configure && make && make install
>>>
>>>when I start snort it hangs for 15-30 seconds at...
>>>
>>>Initializing Network Interface eth0
>>>OpenPcap() device eth0 network lookup:
>>>        eth0: no IPv4 address assigned
>>>Decoding Ethernet on interface eth0
>>>
>>>
>>>I'm starting it like this..
>>>
>>>/usr/local/bin/snort -i eth0 -u snort -l /var/log/snort -c
>>>/usr/local/etc/snort/snort.conf
>>>
>>>also tried...
>>>
>>>/usr/local/bin/snort -i eth0 -l /var/log/snort -c
>>>/usr/local/etc/snort/snort.conf
>>>
>>>
>>>At this point memory consumption sky rockets to 95% usage even with
>>>all preprocessors except flow turned off. After about 30 seconds it
>>>finishes initializing and appears to work correctly but at 95% memory
>>>consumption and swap usage begins kicking in.
>>>
>>>I googled the OpenPcap message but found nothing that seems relevant
>>>to my situation.
>>>
>>>I also have a snort 2.4.5 install on the same box. When it starts I do
>>>not see the OpenPcap message and it works flawlessly at around 18-24%
>>>mem usage with all preprocessors on.
>>>
>>>I also tried compiling 2.6.0 without the new dynamic preprocessors or
>>>the dep tracking and I still get the openpcap message and crazy mem
>>>usage.
>>>
>>>Any ideas?
>>>
>>>Wally
>>>
>>>
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>      
>>>
>>- --
>>+---------------------------------------------------------------------+
>>Joel Esler           Senior Security Consultant         1-706-627-2101
>>Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
>>Snort - Open Source Network IPS/IDS -- http://www.snort.org
>>GPG Key http://demo.sourcefire.com/jesler.pgp.key
>>+---------------------------------------------------------------------+
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.4.3 (Darwin)
>>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>>iD8DBQFEmBrGKbCSyXHckt4RAq9HAJ45D9emK3cHcWf7WoR+Ex1DmykHlQCgovM3
>>cxap2QpG64S7+k8Tr2UOvLQ=
>>=xdKQ
>>-----END PGP SIGNATURE-----
>>
>>    
>>
>
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
>


-- 
Rob Munsch
Solutions For Progress IT
www.solutionsforprogress.com





More information about the Snort-users mailing list