[Snort-users] Mmapped Capture on Linux

Mike Lococo mikelococo at ...11827...
Thu Aug 12 17:57:17 EDT 2010


> It looks like the later versions will use mmap if possible.
> 
> A crude way to check on linux:  run this before and after starting Snort:
> 
>     grep -i mapped /proc/meminfo

The mapped allocation grows a bit and then bounces around after enabling
snort.  Prior to enabling snort, it's quite stable.  I assume this means
that we're using mmapped collection already.

> BTW, you can go to Snort 2.9.0 and use afpacket.  That uses mmap and
> works with live traffic both passive and inline.  :)

I'll have a peak at this.  I'm still seeing ~ 10% packet loss at
50mbit/sec on a fairly monstrous box with very little CPU usage.  I'll
also have to look into kernel-tuning a bit.  I've been spoiled by Endace
Dag cards on high-bandwidth links.  Monitoring a measly 150 megabits on
a commodity ethernet card seems difficult by comparison.

Thanks for your help.

Cheers,
Mike Lococo




More information about the Snort-users mailing list