[Snort-users] snort 2.8.5.3 and PCAP_FRAMES

Russell Fulton r.fulton at ...3809...
Wed May 12 00:43:18 EDT 2010


I've just noticed that my snort is no longer using PCAP_FRAMES ???

[snort at ...13893... ~]$ snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.5.3 (Build 124)  
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006

[snort at ...13893... ~]$ env | grep PCAP
PCAP_FRAMES=32000

[snort at ...13893... ~]$ sudo snort -D   -A none -c conf/snort.conf.eth3 -u snort -g snort -i eth3 -l /home/snort/data/eth3 -m 0002 -S INT=eth3

[snort at ...13893... ~]$ sudo tail /var/log/messages
May 12 04:33:51 monitor-dmzo snort[3579]: | Num States       : 635820 
May 12 04:33:51 monitor-dmzo snort[3579]: | Num Transitions  : 45289523 
May 12 04:33:51 monitor-dmzo snort[3579]: | State Density    : 27.8% 
May 12 04:33:51 monitor-dmzo snort[3579]: | Finite Automatum : DFA 
May 12 04:33:51 monitor-dmzo snort[3579]: | Memory           : 434.13Mbytes 
May 12 04:33:51 monitor-dmzo snort[3579]: +------------------------------------------------------------- 
May 12 04:33:51 monitor-dmzo snort[3579]:  
May 12 04:33:51 monitor-dmzo snort[3579]:         --== Initialization Complete ==-- 
May 12 04:33:51 monitor-dmzo snort[3579]: Snort initialization completed successfully (pid=3579) 
May 12 04:33:51 monitor-dmzo snort[3579]: Not Using PCAP_FRAMES 

I have the latest version of libpcap from lbl installed and recompiled snort with --with-libcap-dir=/usr/local/lib...

Any ideas?

Russell



More information about the Snort-users mailing list