Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Quick questions about recieved packets

From: sekure <sekure () gmail com>
Date: Wed, 26 Oct 2005 19:10:46 -0400
You can always just "ldd /path/to/snort" to see which pcap library is used,
and you might get lucky.

I believe by default when you build libpcap it doesn't build shared
libraries, so you might have to read some documentation to get it to do
that. I could be wrong, but I believe it builds static libraries and i had
to recompile snort and have those libraries statically linked. You can also
build dynamic libraries and in that case you don't have to recompile
snort.... your call...

Anyways, once you get snort to use the new library, you have to define
PCAP_FRAMES variable before you launch snort. Try PCAP_FRAMES=max to start
with and go from there. Google it, or go to the page where you got the
library, there is some documentation on the subject.

Good luck.

On 10/26/05, Joseph Nicholson <wjnicholson () gmail com> wrote:


Well I got my head out of my butt and realized what my major issue was. I
was running Snort from the command line for testing purposes before I set
it up to run at boot as a Daemon. I was using the following command line:
 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -v
 I kinda forgot that verbose mode will cause a ton of dropped packets like
I was getting. I am now after a 10 min run without the -v getting 10% loss
instead of 90%. That is something I could live with or at least close the
gap on easier.
 I installed the new pcap library as suggested above. I am using Fedora
Core 3 (yeah I know, don't say it :-P) and I downloaded the lib, un-tarred
it, did the configure, make, make install dance around the fire pit. I
rebooted the server. Will that pcap lib actually be used or is there
something I have to change somewhere to tell FC3 not to use the pcap lib
that it came with and to use my new one?

 On 10/26/05, Joseph Nicholson <wjnicholson () gmail com> wrote:


I went ahead and disabled all of the rulesets to see if that made any
differece. Unfortunately it made no difference at all. My next question will
be if I use the pcap library suggested above, when I install it will
Snort know to use it automatically or will I have to change something so
Snort will know?
Previous By Date Next
Previous By Thread Next

Current thread: