[Snort-users] Best practice for Snort with pcap file?
rucombs at cisco.com
Fri Jun 16 20:38:36 EDT 2017
Hi. Neither is better, it just depends on your goals. Use packet
captures for testing, debugging, analysis, etc. Use network interfaces
to protect your network. Either way you can use multiple processing
threads by providing multiple sources (pcaps or interfaces). We will
eventually support internal load balancing but for now that must be done
externally. And yes, high speed packet captures will quickly fill up
your disk. :)
Check the manual (or the DAQ tarball README) for packet acquisition
options. The various Snort 2.X documents also have helpful information
for DAQ configurations. And check back here if you get stuck.
On 6/16/17 5:52 PM, Nishant Bhat via Snort-users wrote:
> (Noob question) I'm setting up Snort 3, and the manual shows both how
> to set up Snort to listen to live traffic on a network interface, and
> how to have Snort inspect a packet capture file. I'm wondering which
> of these configurations is a better practice? I see more examples of
> the pcap-inspection setup, so I'm assuming this is what tends to get
> used. It also seems like this is the only way to take advantage of
> Snort 3's multithreading.
> In this case, do people usually set up a separate instance of tcpdump
> to capture packets? If so, how do you avoid having the pcap file use
> all your disk space? Thanks in advance!
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users