[Snort-users] Snort 2.9.0.3 & Phil Wood's modified libpcap

Michael Altizer xiche at ...3147...
Tue Feb 8 22:20:02 EST 2011


On 02/08/2011 08:36 AM, Weir, Jason wrote:
> Running into problems - seems DAQ needs libpcap version greater than
> 1.0.0
>
> ./configure on daq gives me this
>
> ERROR!  Libpcap library version>= 1.0.0  not found.
>
> Unfortunately Phil's libpcap version is 0.9.8
>
> Any way around this?
>
> Jason
On Linux, the PCAP DAQ module attempts to emulate Phil's modifications 
by interpolating his PCAP_FRAMES environment variable into something 
relatively equivalent to pass to pcap_set_buffer_size() on LibPCAP >= 
1.0.0 (see daq_pcap.c:translate_PCAP_FRAMES).  Since LibPCAP 1.0.0, the 
default method for opening Linux interfaces is via mmap (AF_PACKET 
socket) if possible.  Also, the AFPacket DAQ module provides a more 
direct and flexible interface to this, as well as a number of other 
features, so I would suggest giving that a try.

-Michael




More information about the Snort-users mailing list