[Snort-users] Snort 2.9.0.3 & Phil Wood's modified libpcap

Mike Lococo mikelococo at ...11827...
Tue Feb 8 12:15:44 EST 2011


On 02/08/2011 10:06 AM, Weir, Jason wrote:
> The change file (goes back to 1994)
> http://www.tcpdump.org/libpcap-changes.txt doesn't mention mmap or
> ring buffer.
> 
> Anyone have definitive proof that the latest libpcap versions have
> the good stuff included

That changes file looks to be out of date.  Check the October 27, 2008
1.0.0 changelog below which notes "Support for memory-mapped capture on
Linux":

https://github.com/mcr/libpcap/blob/3c13ac2cc3e06899a8ed1aca3e88b2abebb02c9a/CHANGES

Although I'll echo the warning of other folks that the buffer-size is
hardcoded with daq-0.5 and earlier (although the change in 0.5.1 is news
to me, I look forward to testing it) and too small for a reasonably
sized network.  Packet loss occurs at 100-150mbits (down from 200-300)
when using mmaped capture on libpcap-1.0.0/daq-0.5 compared to
libpcap-0.9.8.  AFPacket is much better with an adequately sized buffer,
and maybe mmap with a reasonable buffer will be good as well.

Cheers,
Mike Lococo




More information about the Snort-users mailing list