not yet:: Re: freebsd/snort 2.9.0.3 daq: how do I verify it is using the ram?

[Michael Scheidell <michael.scheidell () secnap com>]

On 1/30/11 3:49 PM, Michael Altizer wrote:
> You will have to change the default net.bpf.maxbufsize like Frank said 
> to be at least as large as what you entered or it will fall back on 
> the maximum allowed (my FreeBSD install defaulted to 512k).
patch applied, daq 0.5_1:
still not convinced: but onto seeing what happens with -daq ipfw now.. 
just because I am a sick individual and crave self abuse.

USER    PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
snort  1878 93.8  3.2 187332 134444  ??  Ss    5:22PM   0:00.01 
/usr/local/bin/snort -c /etc/snort/snort_wan.conf -i untrust0 -l 
/var/log/snort_wan -F /etc/snort/snort_wan.bpf -dDqI -m 022 -k none 
--nolock-pidfile --daq pcap --daq-var buffer_size=131072

USER   PID %CPU %MEM   VSZ   RSS  TT  STAT STARTED      TIME COMMAND
root  1876 33.6  3.1 181188 128700  ??  Ss    5:22PM   0:00.02 
/usr/local/bin/snort -c /etc/snort/snort_lan.conf -i trust1 -l 
/var/log/snort_lan -F /etc/snort/snort_lan.bpf -dDqI -m 022 -k none 
--nolock-pidfile --daq pcap --daq-var buffer_size=131072

scanner2.secnap.com# sysctl net.bpf
net.bpf.maxinsns: 512
net.bpf.maxbufsize: 524288
net.bpf.bufsize: 4096

verified patch:
 diff -bBru daq_pcap.c.orig daq_pcap.c
--- daq_pcap.c.orig    2010-10-01 17:58:15.000000000 -0400
+++ daq_pcap.c    2011-01-30 17:24:20.000000000 -0500
@@ -216,7 +216,7 @@
     for (entry = config->values; entry; entry = entry->next)
     {
         if (!strcmp(entry->key, "buffer_size"))
-            context->buffer_size = strtol(entry->key, NULL, 10);
+            context->buffer_size = strtol(entry->value, NULL, 10);
     }
     /* Try to account for legacy PCAP_FRAMES environment variable if 
we weren't passed a buffer size. */
     if (context->buffer_size == 0)

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best in Email Security,2010: Network Products Guide
   * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users