[Snort-users] Mmapped Capture on Linux

beenph beenph at ...11827...
Fri Aug 13 12:09:44 EDT 2010


Mike post also made me look at libpcap-1.x
And i tought this would be informative for people looking toward that path,

Seem's like libpcap-1.x now support MMAPed socket I/O  like phil woods
pcap, but i think there is a little gottcha:


In pcap-linux.c we can see the following:

activate_mmap(pcap_t *handle)
{
#ifdef HAVE_PACKET_RING
<snip>
                /* by default request 2M for the ring buffer */
                handle->opt.buffer_size = 2*1024*1024;
</snip>

And opt.buffer_size is used to initialize the buffer, thus if you use something
like snort or tcpdump or wireshark, you might have to modifiy the
buffer size before any call  to function that call pcap_activate().
with pcap_set_buffer_size() call.


So you can actually have a buffer greater than 2MB ...which wouldn't
be able to substrain much stress.

Phil's Woods libpcap use to take the parameter by a ENV variable.

I guess it would either be to people to patch their software or mabey
sourcefire could slip some code in without much hussle to
allow it to be a snort parameter

-elz



On Thu, Aug 12, 2010 at 7:05 PM, beenph <beenph at ...11827...> wrote:
> For the general information since 2.6.34 Mabey it could have been
> earlyer but the kernel dosen't need to be compiled with
> mmap socket I/O support, its now built-in.
>
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.34.y.git;a=commit;h=889b8f964f2f226b7cd5a0a515109e3d8d9d1613
>
> -elz
>
>
> On Thu, Aug 12, 2010 at 5:57 PM, Mike Lococo <mikelococo at ...11827...> wrote:
>>> It looks like the later versions will use mmap if possible.
>>>
>>> A crude way to check on linux:  run this before and after starting Snort:
>>>
>>>     grep -i mapped /proc/meminfo
>>
>> The mapped allocation grows a bit and then bounces around after enabling
>> snort.  Prior to enabling snort, it's quite stable.  I assume this means
>> that we're using mmapped collection already.
>>
>>> BTW, you can go to Snort 2.9.0 and use afpacket.  That uses mmap and
>>> works with live traffic both passive and inline.  :)
>>
>> I'll have a peak at this.  I'm still seeing ~ 10% packet loss at
>> 50mbit/sec on a fairly monstrous box with very little CPU usage.  I'll
>> also have to look into kernel-tuning a bit.  I've been spoiled by Endace
>> Dag cards on high-bandwidth links.  Monitoring a measly 150 megabits on
>> a commodity ethernet card seems difficult by comparison.
>>
>> Thanks for your help.
>>
>> Cheers,
>> Mike Lococo
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by
>>
>> Make an app they can't live without
>> Enter the BlackBerry Developer Challenge
>> http://p.sf.net/sfu/RIM-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>




More information about the Snort-users mailing list