[Snort-users] Best practice for Snort with pcap file?

Russ rucombs at cisco.com
Fri Jun 16 20:38:36 EDT 2017

Hi.  Neither is better, it just depends on your goals.  Use packet 
captures for testing, debugging, analysis, etc.  Use network interfaces 
to protect your network.  Either way you can use multiple processing 
threads by providing multiple sources (pcaps or interfaces).  We will 
eventually support internal load balancing but for now that must be done 
externally.  And yes, high speed packet captures will quickly fill up 
your disk.  :)

Check the manual (or the DAQ tarball README) for packet acquisition 
options.  The various Snort 2.X documents also have helpful information 
for DAQ configurations.  And check back here if you get stuck.

Good luck.

On 6/16/17 5:52 PM, Nishant Bhat via Snort-users wrote:
> (Noob question) I'm setting up Snort 3, and the manual shows both how 
> to set up Snort to listen to live traffic on a network interface, and 
> how to have Snort inspect a packet capture file. I'm wondering which 
> of these configurations is a better practice? I see more examples of 
> the pcap-inspection setup, so I'm assuming this is what tends to get 
> used. It also seems like this is the only way to take advantage of 
> Snort 3's multithreading.
> In this case, do people usually set up a separate instance of tcpdump 
> to capture packets? If so, how do you avoid having the pcap file use 
> all your disk space? Thanks in advance!
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170616/be842254/attachment.html>

More information about the Snort-users mailing list