Re: max bpf filter size?

[Martin Roesch <roesch () sourcefire com>]

On Sun, Jul 18, 2010 at 8:03 PM, Jason Haar <Jason.Haar () trimble co nz> wrote:
>  Hi there
>
> Simple question: I have a large-and-growing BPF filter, and am getting
> nervous I'm going to hit some maximum size at some time. I'm already
> doing it by putting the filter into a file (ie it's not shell-bound),
> but I'm guessing there's some limit? Also, I'm doing this with both
> snort and daemonlogger, so don't know if there are application-specific
> limits that are different from pcap library limits?

Hi Jason,

Daemonlogger will read up to the filesize returned by stat(2) when
you're loading from a file.  When reading from the shell you're only
limited by the max shell command size and libpcap.

It looks like Snort works the same way just perusing Snort 2.8.6.  I'm
not sure what libpcap's limit on filter size is but I imagine it's
quite large (megabytes?).

Marty

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users