[Snort-users] Mmapped Capture on Linux

Michael Altizer xiche at ...3147...
Fri Aug 13 13:03:33 EDT 2010


On 08/13/2010 12:09 PM, beenph wrote:
> Mike post also made me look at libpcap-1.x
> And i tought this would be informative for people looking toward that path,
>
> Seem's like libpcap-1.x now support MMAPed socket I/O  like phil woods
> pcap, but i think there is a little gottcha:
>
>
> In pcap-linux.c we can see the following:
>
> activate_mmap(pcap_t *handle)
> {
> #ifdef HAVE_PACKET_RING
> <snip>
>                  /* by default request 2M for the ring buffer */
>                  handle->opt.buffer_size = 2*1024*1024;
> </snip>
>
> And opt.buffer_size is used to initialize the buffer, thus if you use something
> like snort or tcpdump or wireshark, you might have to modifiy the
> buffer size before any call  to function that call pcap_activate().
> with pcap_set_buffer_size() call.
>
>
> So you can actually have a buffer greater than 2MB ...which wouldn't
> be able to substrain much stress.
>
> Phil's Woods libpcap use to take the parameter by a ENV variable.
>
> I guess it would either be to people to patch their software or mabey
> sourcefire could slip some code in without much hussle to
> allow it to be a snort parameter
>
> -elz
>
>    
In Snort 2.9, you can pass a value to be set with pcap_set_buffer_size() 
with '--daq-var buffer_size=<#bytes>' and it will be handled by the PCAP 
DAQ module.  The PCAP DAQ module will also try to intelligently 
interpret Phil Woods's PCAP_FRAMES environment variable into something 
to use in the same way if the 'buffer_size' DAQ variable is not defined.

-Michael

>
> On Thu, Aug 12, 2010 at 7:05 PM, beenph<beenph at ...11827...>  wrote:
>    
>> For the general information since 2.6.34 Mabey it could have been
>> earlyer but the kernel dosen't need to be compiled with
>> mmap socket I/O support, its now built-in.
>>
>> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.34.y.git;a=commit;h=889b8f964f2f226b7cd5a0a515109e3d8d9d1613
>>
>> -elz
>>
>>
>> On Thu, Aug 12, 2010 at 5:57 PM, Mike Lococo<mikelococo at ...11827...>  wrote:
>>      
>>>> It looks like the later versions will use mmap if possible.
>>>>
>>>> A crude way to check on linux:  run this before and after starting Snort:
>>>>
>>>>      grep -i mapped /proc/meminfo
>>>>          
>>> The mapped allocation grows a bit and then bounces around after enabling
>>> snort.  Prior to enabling snort, it's quite stable.  I assume this means
>>> that we're using mmapped collection already.
>>>
>>>        
>>>> BTW, you can go to Snort 2.9.0 and use afpacket.  That uses mmap and
>>>> works with live traffic both passive and inline.  :)
>>>>          
>>> I'll have a peak at this.  I'm still seeing ~ 10% packet loss at
>>> 50mbit/sec on a fairly monstrous box with very little CPU usage.  I'll
>>> also have to look into kernel-tuning a bit.  I've been spoiled by Endace
>>> Dag cards on high-bandwidth links.  Monitoring a measly 150 megabits on
>>> a commodity ethernet card seems difficult by comparison.
>>>
>>> Thanks for your help.
>>>
>>> Cheers,
>>> Mike Lococo
>>>
>>> ------------------------------------------------------------------------------
>>> This SF.net email is sponsored by
>>>
>>> Make an app they can't live without
>>> Enter the BlackBerry Developer Challenge
>>> http://p.sf.net/sfu/RIM-dev2dev
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>>        
>>      
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>    





More information about the Snort-users mailing list