[Snort-users] Snort 2.9, RHEL 5 and afpacket DAQ

beenph beenph at ...11827...
Wed Oct 20 15:03:48 EDT 2010


In daq_afpacket.c there is a #define  which people who would like to set
bigger buffer might want to take a look.

#define AF_PACKET_MAX_BUFFER_SIZE   128

<SNIP>
  for (entry = config->values; entry; entry = entry->next)
    {
      *  if (!strcmp(entry->key, "buffer_size_mb"))
            size_str = entry->value;
*        else if (!strcmp(entry->key, "debug"))
            debug = 1;
    }
    /* Fall back to the environment variable. */
    if (!size_str)
        size_str = getenv("AF_PACKET_BUFFER_SIZE");

    if (size_str && strcmp("max", size_str) != 0)
    {
        size = strtoul(size_str, NULL, 10);
        if (size > AF_PACKET_MAX_BUFFER_SIZE)
       *     size = AF_PACKET_MAX_BUFFER_SIZE;
*    }
*   ** else
        size = AF_PACKET_MAX_BUFFER_SIZE;
*
    /* The size is specified in megabytes. */
    size = size * 1024 * 1024;

</SNIP>
On Wed, Oct 20, 2010 at 2:19 PM, Mike Lococo <mikelococo at ...11827...> wrote:

> On 10/20/2010 01:35 PM, Eoin Miller wrote:
> > afpacket is nearly identical to mmap'd libpcap. Just give afpacket a
> > bigger buffer and the performace should be extremely comprable, and you
> > don't have to use super old libpcap anymore.
>
> I think what Ralf is asserting, and Rich and confirming, is that buffer
> sizes larger than ~50MB are failing with afpacket (but not with the
> Woods patches)... so it is not (yet) possible to use a comparable buffer
> size for some unknown reason.
>
> Cheers,
> Mike Lococo
>
>
> ------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America
> contest
> Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
> marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101020/84a845f4/attachment.html>


More information about the Snort-users mailing list