Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort 2.0.0 with libpcap-0.8.030609

From: Phil Wood <cpw () lanl gov>
Date: Wed, 6 Aug 2003 21:26:00 -0600

I'm running 2.0 with it ("my libpcap").  It would be interesting if you
could have two boxes, one running redhat's and the other "mine" and see
if there was any difference.  I think that redhat incorporated the same
Alexey K. mmap patch that I did.  I enhanced his patch by adding the
stats as well as a larger ring buffer.  I know for a fact that a larger
buffer gets you over some humps in traffic.  But, I also know that I
can lose packets when the going gets tough.  The stats I generate some
time help pinpoint the exact time when packets started to get dropped.
If you have additional data (possibly a tcpdump on a different box 
collecting every packet (but just 68 bytes or less worth) you might 
see get a hint as to just what conditions on the net are driving up
you packet loss.

BTW, check the FAQ for information about how to improve the odds.  For
example, using barnyard to do the sql or whatever post processing you
want to do, and snort to just zap out the alerts in the "unified"
format.

Later,

On Wed, Aug 06, 2003 at 03:51:41PM -0700, Duda Consulting wrote:

Has this version of libpcap been tested well with snort 2.0.0?

I need to run snort 2.0.0 on stock baseline redhat 8 with fiber gigabit
(250mbits max). Redhat uses 0.6.2 libpcap with patches.

Your changes to libpcap seem worth the swtich to your 0.8 version, but didn't
see any information about snort 2.0.0 with it.

Thanks,
Eric Duda

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: