Snort mailing list archives
Re: Snort as Gigabit Sensor
From: Frank Knobbe <frank () knobbe us>
Date: 31 Jul 2003 16:19:17 -0500
On Thu, 2003-07-31 at 16:02, Chris Green wrote:
Let me ask you this then... is the pcap loop buffered? Does libpcap buffer packets itself (internally being multi-threaded)? If not, having at least the acquisition separated and buffered should help Snort not to drop packets when it is busy logging to the database.Welcome to why barnyard is a separate process :> small disk writes are cheap and buffered by OS, let the pending stuff happen in snort.
Touche. Still didn't answer my question though :) How much buffering occurs in libpcap? Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Snort as Gigabit Sensor, (continued)
- Re: Snort as Gigabit Sensor Marc Quibell (Jul 24)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor Hutchinson, Andrew (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 29)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Phil Wood (Jul 31)