Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mmapped Capture on Linux

From: Mike Lococo <mikelococo () gmail com>
Date: Thu, 12 Aug 2010 17:57:17 -0400
It looks like the later versions will use mmap if possible.

A crude way to check on linux:  run this before and after starting Snort:

    grep -i mapped /proc/meminfo


The mapped allocation grows a bit and then bounces around after enabling
snort.  Prior to enabling snort, it's quite stable.  I assume this means
that we're using mmapped collection already.


BTW, you can go to Snort 2.9.0 and use afpacket.  That uses mmap and
works with live traffic both passive and inline.  :)


I'll have a peak at this.  I'm still seeing ~ 10% packet loss at
50mbit/sec on a fairly monstrous box with very little CPU usage.  I'll
also have to look into kernel-tuning a bit.  I've been spoiled by Endace
Dag cards on high-bandwidth links.  Monitoring a measly 150 megabits on
a commodity ethernet card seems difficult by comparison.

Thanks for your help.

Cheers,
Mike Lococo

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: