Snort mailing list archives

Re: Snort as Gigabit Sensor

From: Frank Knobbe <frank () knobbe us>
Date: 31 Jul 2003 16:19:17 -0500

On Thu, 2003-07-31 at 16:02, Chris Green wrote:

Let me ask you this then... is the pcap loop buffered? Does libpcap
buffer packets itself (internally being multi-threaded)? If not, having
at least the acquisition separated and buffered should help Snort not to
drop packets when it is busy logging to the database.


Welcome to why barnyard is a separate process :>  small disk writes
are cheap and buffered by OS, let the pending stuff happen in snort.


Touche. Still didn't answer my question though :)  How much buffering
occurs in libpcap? 

Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: Snort as Gigabit Sensor, (continued)
- Re: Snort as Gigabit Sensor Marc Quibell (Jul 24)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor Hutchinson, Andrew (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 29)
  - Re: Snort as Gigabit Sensor Chris Green (Jul 31)
    - Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
    - Re: Snort as Gigabit Sensor Chris Green (Jul 31)
    - Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
    - Re: Snort as Gigabit Sensor Chris Green (Jul 31)
    - Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
    - Re: Snort as Gigabit Sensor Chris Green (Jul 31)
    - Re: Snort as Gigabit Sensor Phil Wood (Jul 31)
- RE: Snort as Gigabit Sensor Donofrio, Lewis (Jul 29)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 31)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 31)