[Snort-users] Mmapped Capture on Linux

Russ Combs rcombs at ...1935...
Thu Aug 12 11:36:44 EDT 2010


On Wed, Aug 11, 2010 at 6:36 PM, Mike Lococo <mikelococo at ...11827...> wrote:

> Hi Folks,
>
> I'm interested to know if anyone has attempted to do mmaped capture with
> snort using the stock libpcap distribution.  The manual still references
> Phil Woods rather old patches based on libpcap-0.9.8, and all of the
> web/mailing-list references I can find use that or various other old
> patches.
>
> According to the CHANGES file that ships with libpcap, it has supported
> memory-mapped capture on linux since 1.0.0:
>
>
>
> http://github.com/mcr/libpcap/blob/3c13ac2cc3e06899a8ed1aca3e88b2abebb02c9a/CHANGES
>
> Russ Combs recently suggested that snort has support for it in recent
> releases:
>
>  http://seclists.org/snort/2010/q3/66
>
> I'm having trouble finding documentation or any evidence of folks using
> this feature though.  Does it require configuration to enable, or is it
> automatic as long as the kernel, libpcap, and snort version all support
> it?  Is there a way to test and confirm that mmapped capture is being
> used on a given snort instance?
>

It looks like the later versions will use mmap if possible.

A crude way to check on linux:  run this before and after starting Snort:

    grep -i mapped /proc/meminfo

BTW, you can go to Snort 2.9.0 and use afpacket.  That uses mmap and works
with live traffic both passive and inline.  :)


> Cheers,
> Mike Lococo
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100812/663b3bb4/attachment.html>


More information about the Snort-users mailing list