[Snort-users] Mmapped Capture on Linux

Russ Combs rcombs at ...1935...
Fri Aug 13 12:45:55 EDT 2010


On Fri, Aug 13, 2010 at 12:09 PM, beenph <beenph at ...11827...> wrote:

> Mike post also made me look at libpcap-1.x
> And i tought this would be informative for people looking toward that path,
>
> Seem's like libpcap-1.x now support MMAPed socket I/O  like phil woods
> pcap, but i think there is a little gottcha:
>
>
> In pcap-linux.c we can see the following:
>
> activate_mmap(pcap_t *handle)
> {
> #ifdef HAVE_PACKET_RING
> <snip>
>                /* by default request 2M for the ring buffer */
>                handle->opt.buffer_size = 2*1024*1024;
> </snip>
>
> And opt.buffer_size is used to initialize the buffer, thus if you use
> something
> like snort or tcpdump or wireshark, you might have to modifiy the
> buffer size before any call  to function that call pcap_activate().
> with pcap_set_buffer_size() call.
>
>
> So you can actually have a buffer greater than 2MB ...which wouldn't
> be able to substrain much stress.
>
> Phil's Woods libpcap use to take the parameter by a ENV variable.
>
> I guess it would either be to people to patch their software or mabey
> sourcefire could slip some code in without much hussle to
> allow it to be a snort parameter
>

With Snort 2.9.0 and the pcap DAQ you can set the buffer size and if not the
DAQ will try the PCAP_FRAMES env var.

Or you can use the afpacket DAQ.

Russ

>
> -elz
>
>
>
> On Thu, Aug 12, 2010 at 7:05 PM, beenph <beenph at ...11827...> wrote:
> > For the general information since 2.6.34 Mabey it could have been
> > earlyer but the kernel dosen't need to be compiled with
> > mmap socket I/O support, its now built-in.
> >
> >
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.34.y.git;a=commit;h=889b8f964f2f226b7cd5a0a515109e3d8d9d1613
> >
> > -elz
> >
> >
> > On Thu, Aug 12, 2010 at 5:57 PM, Mike Lococo <mikelococo at ...11827...>
> wrote:
> >>> It looks like the later versions will use mmap if possible.
> >>>
> >>> A crude way to check on linux:  run this before and after starting
> Snort:
> >>>
> >>>     grep -i mapped /proc/meminfo
> >>
> >> The mapped allocation grows a bit and then bounces around after enabling
> >> snort.  Prior to enabling snort, it's quite stable.  I assume this means
> >> that we're using mmapped collection already.
> >>
> >>> BTW, you can go to Snort 2.9.0 and use afpacket.  That uses mmap and
> >>> works with live traffic both passive and inline.  :)
> >>
> >> I'll have a peak at this.  I'm still seeing ~ 10% packet loss at
> >> 50mbit/sec on a fairly monstrous box with very little CPU usage.  I'll
> >> also have to look into kernel-tuning a bit.  I've been spoiled by Endace
> >> Dag cards on high-bandwidth links.  Monitoring a measly 150 megabits on
> >> a commodity ethernet card seems difficult by comparison.
> >>
> >> Thanks for your help.
> >>
> >> Cheers,
> >> Mike Lococo
> >>
> >>
> ------------------------------------------------------------------------------
> >> This SF.net email is sponsored by
> >>
> >> Make an app they can't live without
> >> Enter the BlackBerry Developer Challenge
> >> http://p.sf.net/sfu/RIM-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100813/18cb84c0/attachment.html>


More information about the Snort-users mailing list