Snort mailing list archives
Re: Mmapped Capture on Linux
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 13 Aug 2010 12:45:55 -0400
On Fri, Aug 13, 2010 at 12:09 PM, beenph <beenph () gmail com> wrote:
Mike post also made me look at libpcap-1.x And i tought this would be informative for people looking toward that path, Seem's like libpcap-1.x now support MMAPed socket I/O like phil woods pcap, but i think there is a little gottcha: In pcap-linux.c we can see the following: activate_mmap(pcap_t *handle) { #ifdef HAVE_PACKET_RING <snip> /* by default request 2M for the ring buffer */ handle->opt.buffer_size = 2*1024*1024; </snip> And opt.buffer_size is used to initialize the buffer, thus if you use something like snort or tcpdump or wireshark, you might have to modifiy the buffer size before any call to function that call pcap_activate(). with pcap_set_buffer_size() call. So you can actually have a buffer greater than 2MB ...which wouldn't be able to substrain much stress. Phil's Woods libpcap use to take the parameter by a ENV variable. I guess it would either be to people to patch their software or mabey sourcefire could slip some code in without much hussle to allow it to be a snort parameter
With Snort 2.9.0 and the pcap DAQ you can set the buffer size and if not the DAQ will try the PCAP_FRAMES env var. Or you can use the afpacket DAQ. Russ
-elz On Thu, Aug 12, 2010 at 7:05 PM, beenph <beenph () gmail com> wrote:For the general information since 2.6.34 Mabey it could have been earlyer but the kernel dosen't need to be compiled with mmap socket I/O support, its now built-in.http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.34.y.git;a=commit;h=889b8f964f2f226b7cd5a0a515109e3d8d9d1613-elz On Thu, Aug 12, 2010 at 5:57 PM, Mike Lococo <mikelococo () gmail com>wrote:It looks like the later versions will use mmap if possible. A crude way to check on linux: run this before and after startingSnort:grep -i mapped /proc/meminfoThe mapped allocation grows a bit and then bounces around after enabling snort. Prior to enabling snort, it's quite stable. I assume this means that we're using mmapped collection already.BTW, you can go to Snort 2.9.0 and use afpacket. That uses mmap and works with live traffic both passive and inline. :)I'll have a peak at this. I'm still seeing ~ 10% packet loss at 50mbit/sec on a fairly monstrous box with very little CPU usage. I'll also have to look into kernel-tuning a bit. I've been spoiled by Endace Dag cards on high-bandwidth links. Monitoring a measly 150 megabits on a commodity ethernet card seems difficult by comparison. Thanks for your help. Cheers, Mike Lococo------------------------------------------------------------------------------This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Mmapped Capture on Linux Mike Lococo (Aug 11)
- Re: Mmapped Capture on Linux Russ Combs (Aug 12)
- Re: Mmapped Capture on Linux Mike Lococo (Aug 12)
- Re: Mmapped Capture on Linux beenph (Aug 12)
- Re: Mmapped Capture on Linux beenph (Aug 13)
- Re: Mmapped Capture on Linux Russ Combs (Aug 13)
- Re: Mmapped Capture on Linux beenph (Aug 13)
- Re: Mmapped Capture on Linux Michael Altizer (Aug 13)
- Re: Mmapped Capture on Linux Mike Lococo (Aug 12)
- Re: Mmapped Capture on Linux Russ Combs (Aug 12)