[Snort-users] snort 2.8.5.3 and PCAP_FRAMES

Joel Esler jesler at ...1935...
Wed May 12 08:54:26 EDT 2010


Just out of curiosity, have you tried it with 2.8.6.0?  Just so see if we've
already fixed it in the current Snort version?  (I have NOT tested it here
on either version)

On Wed, May 12, 2010 at 12:43 AM, Russell Fulton <r.fulton at ...3809...>wrote:

> I've just noticed that my snort is no longer using PCAP_FRAMES ???
>
> [snort at ...13893... ~]$ snort -V
>
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.8.5.3 (Build 124)
>   ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
>           Using PCRE version: 6.6 06-Feb-2006
>
> [snort at ...13893... ~]$ env | grep PCAP
> PCAP_FRAMES=32000
>
> [snort at ...13893... ~]$ sudo snort -D   -A none -c conf/snort.conf.eth3 -u
> snort -g snort -i eth3 -l /home/snort/data/eth3 -m 0002 -S INT=eth3
>
> [snort at ...13893... ~]$ sudo tail /var/log/messages
> May 12 04:33:51 monitor-dmzo snort[3579]: | Num States       : 635820
> May 12 04:33:51 monitor-dmzo snort[3579]: | Num Transitions  : 45289523
> May 12 04:33:51 monitor-dmzo snort[3579]: | State Density    : 27.8%
> May 12 04:33:51 monitor-dmzo snort[3579]: | Finite Automatum : DFA
> May 12 04:33:51 monitor-dmzo snort[3579]: | Memory           : 434.13Mbytes
> May 12 04:33:51 monitor-dmzo snort[3579]:
> +-------------------------------------------------------------
> May 12 04:33:51 monitor-dmzo snort[3579]:
> May 12 04:33:51 monitor-dmzo snort[3579]:         --== Initialization
> Complete ==--
> May 12 04:33:51 monitor-dmzo snort[3579]: Snort initialization completed
> successfully (pid=3579)
> May 12 04:33:51 monitor-dmzo snort[3579]: Not Using PCAP_FRAMES
>
> I have the latest version of libpcap from lbl installed and recompiled
> snort with --with-libcap-dir=/usr/local/lib...
>
> Any ideas?
>
> Russell
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100512/e4fc86ab/attachment.html>


More information about the Snort-users mailing list