[Snort-users] Snort 126.96.36.199 & Phil Wood's modified libpcap
mikelococo at ...11827...
Tue Feb 8 12:15:44 EST 2011
On 02/08/2011 10:06 AM, Weir, Jason wrote:
> The change file (goes back to 1994)
> http://www.tcpdump.org/libpcap-changes.txt doesn't mention mmap or
> ring buffer.
> Anyone have definitive proof that the latest libpcap versions have
> the good stuff included
That changes file looks to be out of date. Check the October 27, 2008
1.0.0 changelog below which notes "Support for memory-mapped capture on
Although I'll echo the warning of other folks that the buffer-size is
hardcoded with daq-0.5 and earlier (although the change in 0.5.1 is news
to me, I look forward to testing it) and too small for a reasonably
sized network. Packet loss occurs at 100-150mbits (down from 200-300)
when using mmaped capture on libpcap-1.0.0/daq-0.5 compared to
libpcap-0.9.8. AFPacket is much better with an adequately sized buffer,
and maybe mmap with a reasonable buffer will be good as well.
More information about the Snort-users