[Snort-users] Mmapped Capture on Linux
mikelococo at ...11827...
Thu Aug 12 17:57:17 EDT 2010
> It looks like the later versions will use mmap if possible.
> A crude way to check on linux: run this before and after starting Snort:
> grep -i mapped /proc/meminfo
The mapped allocation grows a bit and then bounces around after enabling
snort. Prior to enabling snort, it's quite stable. I assume this means
that we're using mmapped collection already.
> BTW, you can go to Snort 2.9.0 and use afpacket. That uses mmap and
> works with live traffic both passive and inline. :)
I'll have a peak at this. I'm still seeing ~ 10% packet loss at
50mbit/sec on a fairly monstrous box with very little CPU usage. I'll
also have to look into kernel-tuning a bit. I've been spoiled by Endace
Dag cards on high-bandwidth links. Monitoring a measly 150 megabits on
a commodity ethernet card seems difficult by comparison.
Thanks for your help.
More information about the Snort-users