Snort mailing list archives
Re: Tapping into the ring buffer
From: Milani Paolo <Paolo.Milani () TILAB COM>
Date: Tue, 23 Aug 2005 11:16:59 +0200
I may be wrong, but I think that each sniffing application creates a new packet socket, and this means that if you have, say, snort and tcpdump both sniffing the same traffic, each packet is queued into two socket queues (and gets copied. An additional copy is made to send the packet into the normal IP processing queue unless it is disabled for that interface). Phil wood's pcap then kicks in to avoid that each of these packets is copied again into user space (because the socket queue is memory mapped into user space and can be accessed directly). Whatever the details are, since when an application gets access to the memory of a packet it can modify them (snort does that too, rpc_decode i think is an example), it would be unsafe not to make a different copy for each application. Sharing access to the sniffed packets would require a rather large amount of tampering, either in the kernel or in the applications involved. So having multiple sniffing applications will slow down snort.. how big a slowdown i guess you won't know until you try it out. Paolo Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A. ==================================================================== CONFIDENTIALITY NOTICE This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please send an e_mail to MailAdmin () tilab com. Thank you ==================================================================== ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tapping into the ring buffer sekure (Aug 19)
- Re: Tapping into the ring buffer Harry Hoffman (Aug 19)
- Re: Tapping into the ring buffer sekure (Aug 22)
- RE: Tapping into the ring buffer Joe Patterson (Aug 22)
- Re: Tapping into the ring buffer sekure (Aug 22)
- <Possible follow-ups>
- Re: Tapping into the ring buffer Milani Paolo (Aug 23)
- Re: Tapping into the ring buffer Harry Hoffman (Aug 19)