[Snort-users] Recommended daq pcap bpf buffer size?

elof at ...6680... elof at ...6680...
Tue Feb 19 10:54:48 EST 2013


1)
What bpf buffer size do snort ask for at startup?
...or doesn't it ask for anything at all, but simply use the system OS 
default bpf buffer size?


2)
Should this buffersize be tweaked manually?
An example I found on the Internet:

snort --daq pcap --daq-var buffer_size=536870912

Asking for a 512MB bpf buffer seem a bit excessive.
What is a "good" value to use? Someone wrote that 10MB is enough.

/Elof




More information about the Snort-users mailing list