Mmapped Capture on Linux

[Mike Lococo <mikelococo () gmail com>]

Hi Folks,

I'm interested to know if anyone has attempted to do mmaped capture with
snort using the stock libpcap distribution.  The manual still references
Phil Woods rather old patches based on libpcap-0.9.8, and all of the
web/mailing-list references I can find use that or various other old
patches.

According to the CHANGES file that ships with libpcap, it has supported
memory-mapped capture on linux since 1.0.0:


http://github.com/mcr/libpcap/blob/3c13ac2cc3e06899a8ed1aca3e88b2abebb02c9a/CHANGES

Russ Combs recently suggested that snort has support for it in recent
releases:

  http://seclists.org/snort/2010/q3/66

I'm having trouble finding documentation or any evidence of folks using
this feature though.  Does it require configuration to enable, or is it
automatic as long as the kernel, libpcap, and snort version all support
it?  Is there a way to test and confirm that mmapped capture is being
used on a given snort instance?

Cheers,
Mike Lococo

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users