Re: Linux & Pcap ... :-(

["Paul B. Poh" <paul () paulpoh com>]

Hi Lawrence,

Did you happen to also install Phil's turbopacket patch?

I was just looking at the patch and if I read the code properly, it 
looks like he replaces portions of packet_getsockopt() including the 
code that resets the packet stats structure.

I'm guessing that it's probably the turbopacket patch as opposed to the 
modified libpcap that will cure Kevin's issue. :-)

Paul.

Lawrence Reed wrote:
> Kevin,
> Compile snort with the libpcap from Phil Wood.  This works for me and 
> improves performance as well ( ring buffer support).
>
> http://public.lanl.gov/cpw/
>
> Kevin Peuhkurinen wrote:
>
> > So I'm trying to make up a script that will show my bosses the daily 
> > stats dump resulting from a SIGUSR1 to Snort.   Unfortunately, it 
> > appears that when Snort calls libpcap to get the its stats, libpcap 
> > thereafter resets them to zero.   So, the next time I do a SIGUSR1, 
> > the 'breakdown by protocol' shows > 100% because Snort keeps track of 
> > the individual protocol stats but gets the percentage based on the 
> > numbers provided by libpcap.
[snipped]



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users