Re: snort tcpdump binary file mirroing overnetwork.

[Michael Sierchio <kudzu () tenebras com>]

You may not find this particularly helpful, but I'll mention
it anyway.  On a different sensor box (these are Soekris
net4501s, adequate for *recording* all packets at T1 rate),
I run tcpdump as a service:

tcpdump -n -i sis1 -s 0 -w /var/tcpdump/rawdump -C 8

which writes to a file on a memory (RAM) disk
so that the file is closed and a new file written to
when the size exceeds 8,000,000 bytes.  A cron job
runs each minute to move any old files off of the
machine, which has no disk other than a compact
flash.  This seems to work reasonably well, and
doesn't require the Phil Wood patch at the current
data rate.



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users