[Snort-users] Snort takes prohibitively huge time for multiple pcap files

Asad, Hafiz ul Hafiz-ul.Asad at ...17478...
Thu Jan 19 07:46:17 EST 2017


I unfortunately can't. But Just to let you know, for the same Pcap files, the Ubuntu machine analyse it reasonable quickly (few minutes). The only difference is i use --pcap-dir= instead of -pcap-dir.


Ps: Previously, I have been using Windows for the analysis.

________________________________
From: Bhargava Jandhyala (bjandhya) <bjandhya at ...589...>
Sent: Thursday, January 19, 2017 12:26:39 PM
To: Asad, Hafiz ul; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort takes prohibitively huge time for multiple pcap files

Can you please share the pcap's.

From: "Asad, Hafiz ul" <Hafiz-ul.Asad at ...17478...>
Date: Monday, 16 January 2017 at 3:24 PM
To: "Bhargava Jandhyala (bjandhya)" <bjandhya at ...589...>, "snort-users at ...1753...s.sourceforge.net" <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Snort takes prohibitively huge time for multiple pcap files


The cmd I used is,

-pcap-list="pcap1 pcap2"

Asad

________________________________
From: Bhargava Jandhyala (bjandhya) <bjandhya at ...589...>
Sent: Sunday, January 15, 2017 6:16:35 AM
To: Asad, Hafiz ul; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort takes prohibitively huge time for multiple pcap files

Hi

Can you please share the cmd that used for running the pcaps list.

Thanks,
Bhargava

From: "Asad, Hafiz ul" <Hafiz-ul.Asad at ...17478...>
Date: Friday, 13 January 2017 at 10:56 PM
To: "snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
Subject: [Snort-users] Snort takes prohibitively huge time for multiple pcap files

Snort Users,

I have two pcap files (about 600 MB each), if I analyse them one-by-one, it took snort 2.9.8.0 about 1 mint 10 sec to process them. But if I use any option of multiple files, e.g. --pcap-list "<list>", it takes like forever for snort to finish and I have to manually stop it. Any solution for this?


Asad





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170119/9e4e20b5/attachment.html>


More information about the Snort-users mailing list