Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: My Linux libpcap

From: Phil Wood <cpw () lanl gov>
Date: Wed, 21 May 2003 08:43:12 -0600
Take a look at the README.ring and read the discussion about "to_ms".

Then, try:
  now=`date +'%s'`
  future=`expr $now + 60`
  PCAP_TIMEOUT=$future PCAP_STATS=0x1fff PCAP_FRAMES=max PCAP_PERIOD=10000 PCAP_VERBOSE=1 PCAP_TO_MS=0 tcpdump -i eth0 
-s 1514 -w /dev/null

If you do not see something like the following, than something else is wrong.

tcpdump: WARNING: eth1: no IPv4 address assigned
libpcap version: 0.8
Kernel filter, Protocol 0300, MMAP mode (32768 frames, snapshot 1514), socket type: Raw
tcpdump: listening on eth1, capture size 1514 bytes
S:1053528027.575273 119584 0 119565 0 119009 65223982 64775751 0 22082 613 0 000000010.000038
S:1053528037.575311 120764 0 120764 0 121294 66179257 65641177 0 11774 27 0 000000010.000006
S:1053528047.575317 116232 0 116232 0 115895 66244610 66092203 0 29702 23 0 000000010.000062
S:1053528057.575379 124922 0 124922 0 123642 70961130 70897915 0 23552 17 0 000000010.000257
S:1053528067.575636 122348 0 122348 0 123910 69414289 68198439 0 14828 142 0 000000010.000025
S:1053528077.575661 121811 0 121811 0 121319 69319285 69162909 0 5567 29 0 000000010.000091
S:1053528087.575752 5830 0 5830 0 0 0 3411412 0 11397 9 0 000000000.424249
tcpdump: pcap_loop: User specified timeout occured

731478 packets received by filter
0 packets dropped by kernel


You probably should read both README.linux and README.ring, and make
sure you have the correct kernel configuration, or MMAP mode will not
show up in the verbosity above.

Later,

Phil
http://public.lanl.gov/cpw

On Wed, May 21, 2003 at 10:22:22AM +0200, Lionel CONS wrote:

Hello,

I'm trying to use your version of libpcap (libpcap-0.8.030331.tar.gz)
but I found something strange. My program is now using 99% of the CPU
while it was around 20% before, when using the system's libpcap. This
machine is running Red Hat Linux 7.3 with a 1.6 GHz CPU.

I then tried on another machine seeing the same traffic and the
program is still 99% CPU while the processor is 2.4 GHz. Both capture
roughly the same number of packets. Is it possible that there is a bug
(feature) in your version that makes libpcap actively polling for
packets instead of being blocked with something like select()?

Thanks in advance for your help,
__________________________________________________________
Lionel Cons        http://cern.ch/lionel.cons
CERN               http://www.cern.ch



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: