[Snort-users] Mmapped Capture on Linux

beenph beenph at ...11827...
Thu Aug 12 19:05:40 EDT 2010


For the general information since 2.6.34 Mabey it could have been
earlyer but the kernel dosen't need to be compiled with
mmap socket I/O support, its now built-in.

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.34.y.git;a=commit;h=889b8f964f2f226b7cd5a0a515109e3d8d9d1613

-elz


On Thu, Aug 12, 2010 at 5:57 PM, Mike Lococo <mikelococo at ...11827...> wrote:
>> It looks like the later versions will use mmap if possible.
>>
>> A crude way to check on linux:  run this before and after starting Snort:
>>
>>     grep -i mapped /proc/meminfo
>
> The mapped allocation grows a bit and then bounces around after enabling
> snort.  Prior to enabling snort, it's quite stable.  I assume this means
> that we're using mmapped collection already.
>
>> BTW, you can go to Snort 2.9.0 and use afpacket.  That uses mmap and
>> works with live traffic both passive and inline.  :)
>
> I'll have a peak at this.  I'm still seeing ~ 10% packet loss at
> 50mbit/sec on a fairly monstrous box with very little CPU usage.  I'll
> also have to look into kernel-tuning a bit.  I've been spoiled by Endace
> Dag cards on high-bandwidth links.  Monitoring a measly 150 megabits on
> a commodity ethernet card seems difficult by comparison.
>
> Thanks for your help.
>
> Cheers,
> Mike Lococo
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list