Snort mailing list archives
help improving time it takes to read compressed tcpdumps
From: Erik Melander <Emelander () wyndham com>
Date: Wed, 7 Nov 2001 11:40:30 -0600
As I understand it, Snort does not accept tcpdump data from stdin, but requires the use of the "-r" flag to read tcpdumps. Currently, I pull compressed tcpdumps from my sensors, aggregate them on the analyzing machine, uncompress them, read them into Snort, and recompress them for archival purposes. I would like to use the Compress:Zlib perl module to uncompress and compress on the fly while dumping the data into stdin (much like the fetchem.pl script does on Shadow). This should significantly reduce the time it takes to read compressed tcpdumps into Snort. Even better would be the ability to compile zlib into snort so it can natively read compressed tcpdumps. If this is not possible, if anyone has any suggestions for improving the time it takes for this process, I would love to hear it. Thanks! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- help improving time it takes to read compressed tcpdumps Erik Melander (Nov 07)