Re: simultaneous snort and tcpdump

[Gary Flynn <flynngn () jmu edu>]

Bennett Todd wrote:
> In testing, I've run both snort and tcpdump (and other libpcap based
> sniffing programs) concurrently against the same promisc interface,
> and even concurrently used that same interface for real network
> interaction.
>
> As far as I know, you can just run your snort and your tcpdump at
> the same time; while the performance consequences might not be
> ideal, I suspect they'd be better than one tcpdump teeing to a fifo
> for snort then piping into another tcpdump.

My experiences are the same as Bennett's. I've got ntop and
snort running on the same interface and they seem to be
sharing it fine.

When I first contemplated doing this, I did some superficial
research that suggested to me that this wouldn't be a problem.
After diving through pcap code and then into the kernel
network handling code, I came to the conclusion that all
pcap applications have a PF_SOCKET open whose packet_rcv()
functions are sequentially called by the kernel.

This seems to be very nicely documented in the following two
articles:

http://www.linuxjournal.com/article.php?sid=4852
and
http://www.linuxjournal.com/article.php?sid=5617


-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users