Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how snort and ip forwarding fit together

From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 25 Jan 2002 14:47:07 -0500
Snort does not pick up IP packets per se.. Snort picks up ethernet frames using libpcap. From a my understanding (which is probably not exactly correct, but is functionally correct as best I know) pcap is more-or-less an ethernet level library. I view it as seeing traffic between the ethernet device driver and the bottom of the network stack. I suspect that technically speaking pcap attaches to the bottom layer of the network stack and gets to see copies of the packets right after it receives them, or right before it sends them to the device driver, but the differences are minor details and doesn't really impact what is seen or not seen. For that matter it could attach to the top of the device driver, but the net result would be the same..
So for packets from eth0 with snort listening on eth1, snort will see packets after they have been input filtered for eth0, passed up the IP stack, been forwarded, passed down the IP stack, through any output ip filtering for eth1, and will see them as they are passed to the ethernet driver for transmit.
As far as polling vs kernel signals goes, if it works the way I think it does it is really neither but has some aspects of both. It's blocking IO, not callbacks or polling.
As best I can tell, snort/pcap/linux work together the way most blocking IO operations are handled in Linux. Snort calls a read function, that read function blocks and puts the calling thread to sleep. When data arrives the kernel wakes the sleeping thread by triggering the object it is blocking on (often from the interrupt handler or another function that was sleeping and was woken by the interrupt handler). Snort wakes up, processes, calls read again... 

I could be wrong so if I am, please someone feel free to correct me.

At 06:39 PM 1/25/2002 +0000, you wrote:



I am using snort on lrp oxygen & Mandrake(set up as router too).
Snort is sniffing on eth1 & I am flooding traffic from a test system
into eth0. I believe that snort picks up the ip packets from the
memory after the ip forwarding function in the kernel puts them
in the memory( eth1 outbound queue).

Does snort work in a polling fashion or the kernel signals the
snort process each time it puts the packet in the memory ?

Or I've got it totally wrong !!:)

any suggestions !

-Dharmin.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: