Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram?

From: Michael Altizer <xiche () verizon net>
Date: Sun, 30 Jan 2011 15:49:51 -0500
On 01/30/2011 03:30 PM, Michael Altizer wrote:

On 01/30/2011 02:10 PM, Michael Scheidell wrote:


so, I am still wondering if snort is using daq !
Snort will always be using LibDAQ, so don't worry about that. For example, in your case it is going Snort -> LibDAQ -> LibPCAP -> FreeBSD BPF.
And LibPCAP does use the value given in pcap_set_buffer_size() on FreeBSD. You can search for buffer_size in pcap-bpf.c in the LibPCAP source to see how it uses it. The short of it is that it uses that as bz_buflen in the zero-copy BPF case and tries to set the buffer length with the BIOCSBLEN ioctl in the non-zero-copy BPF case. You will have to change the default net.bpf.maxbufsize like Frank said to be at least as large as what you entered or it will fall back on the maximum allowed (my FreeBSD install defaulted to 512k). 
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: