[Snort-users] Snort 18.104.22.168 & Phil Wood's modified libpcap
xiche at ...3147...
Tue Feb 8 22:20:02 EST 2011
On 02/08/2011 08:36 AM, Weir, Jason wrote:
> Running into problems - seems DAQ needs libpcap version greater than
> ./configure on daq gives me this
> ERROR! Libpcap library version>= 1.0.0 not found.
> Unfortunately Phil's libpcap version is 0.9.8
> Any way around this?
On Linux, the PCAP DAQ module attempts to emulate Phil's modifications
by interpolating his PCAP_FRAMES environment variable into something
relatively equivalent to pass to pcap_set_buffer_size() on LibPCAP >=
1.0.0 (see daq_pcap.c:translate_PCAP_FRAMES). Since LibPCAP 1.0.0, the
default method for opening Linux interfaces is via mmap (AF_PACKET
socket) if possible. Also, the AFPacket DAQ module provides a more
direct and flexible interface to this, as well as a number of other
features, so I would suggest giving that a try.
More information about the Snort-users