Snort mailing list archives

Previous By Date Next
Previous By Thread Next

help improving time it takes to read compressed tcpdumps

From: Erik Melander <Emelander () wyndham com>
Date: Wed, 7 Nov 2001 11:40:30 -0600
As I understand it, Snort does not accept tcpdump data from stdin, but
requires the use of the "-r" flag to read tcpdumps.  Currently, I pull
compressed tcpdumps from my sensors, aggregate them on the analyzing
machine, uncompress them, read them into Snort, and recompress them for
archival purposes.  I would like to use the Compress:Zlib perl module to
uncompress and compress on the fly while dumping the data into stdin (much
like the fetchem.pl script does on Shadow).  This should significantly
reduce the time it takes to read compressed tcpdumps into Snort.  Even
better would be the ability to compile zlib into snort so it can natively
read compressed tcpdumps.  If this is not possible, if anyone has any
suggestions for improving the time it takes for this process, I would love
to hear it.  Thanks!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: