[Snort-users] Using afpacket in IDS mode - HELP PLEASE

Bryan Arenal b.arenal at ...11827...
Mon Jun 4 13:17:36 EDT 2012


I just wanted to ask this question again. Is there any reason not to
use afpacket when running in passive mode rather than standard
libpcap?

Thank you

On Mon, May 28, 2012 at 9:04 AM, Bryan Arenal <b.arenal at ...11827...> wrote:
> Hello,
>
> I was reviewing my sensor configurations and was wondering about the
> use of afpacket in IDS mode.  Is there any reason not to use it when
> monitoring passively opposed to libpcap?
>
> I'm testing it in this configuration and am seeing this in my logs.
> My daq_var buffer_size_mb=2048:
>
> S5: Session exceeded configured max bytes to queue 1048576 using
> 1049220 bytes (client queue)
>
> Is this also happening in pcap mode but the the logging isn't as verbose?
>
> Thank you




More information about the Snort-users mailing list