Snort mailing list archives

PF_RING question

From: "Dennis Henderson" <hendo () hendohome com>
Date: Wed, 22 Jun 2005 22:16:09 -0500

Is there anyone out there using PF_RING for your snort setup?

I seem to have it compiled into the kernel and have a modified libpcap that
works.

The problem is that I think that PF_RING is only letting me see 68 bytes of
every packet.


I'm using env vars  PCAP_FRAMES=max and PCAP_SNAPLEN=1514 but when I
actually sniff the traffic using tcpdump with a -s 1514, I don't see packets
bigger than 68 bytes.

Have any of you clueful persons out there seen this behavior?


Thanks


Dennis




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

PF_RING question Dennis Henderson (Jun 22)
- <Possible follow-ups>
- RE: PF_RING question Milani Paolo (Jun 23)
  - RE: PF_RING question Dennis Henderson (Jun 23)