Snort mailing list archives
Re: snort 2.8.5.3 and PCAP_FRAMES
From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 12 May 2010 09:20:53 -0400
Are you sure that PCAP_FRAMES is set in the "snort" user environment you are running under? All snort does with that is indicate whether it is set. It is up to the libpcap you have to actually use it. On Wed, May 12, 2010 at 8:54 AM, Joel Esler <jesler () sourcefire com> wrote:
Just out of curiosity, have you tried it with 2.8.6.0? Just so see if we've already fixed it in the current Snort version? (I have NOT tested it here on either version) On Wed, May 12, 2010 at 12:43 AM, Russell Fulton <r.fulton () auckland ac nz>wrote:I've just noticed that my snort is no longer using PCAP_FRAMES ??? [snort@monitor-dmzo ~]$ snort -V ,,_ -*> Snort! <*- o" )~ Version 2.8.5.3 (Build 124) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2009 Sourcefire, Inc., et al. Using PCRE version: 6.6 06-Feb-2006 [snort@monitor-dmzo ~]$ env | grep PCAP PCAP_FRAMES=32000 [snort@monitor-dmzo ~]$ sudo snort -D -A none -c conf/snort.conf.eth3 -u snort -g snort -i eth3 -l /home/snort/data/eth3 -m 0002 -S INT=eth3 [snort@monitor-dmzo ~]$ sudo tail /var/log/messages May 12 04:33:51 monitor-dmzo snort[3579]: | Num States : 635820 May 12 04:33:51 monitor-dmzo snort[3579]: | Num Transitions : 45289523 May 12 04:33:51 monitor-dmzo snort[3579]: | State Density : 27.8% May 12 04:33:51 monitor-dmzo snort[3579]: | Finite Automatum : DFA May 12 04:33:51 monitor-dmzo snort[3579]: | Memory : 434.13Mbytes May 12 04:33:51 monitor-dmzo snort[3579]: +------------------------------------------------------------- May 12 04:33:51 monitor-dmzo snort[3579]: May 12 04:33:51 monitor-dmzo snort[3579]: --== Initialization Complete ==-- May 12 04:33:51 monitor-dmzo snort[3579]: Snort initialization completed successfully (pid=3579) May 12 04:33:51 monitor-dmzo snort[3579]: Not Using PCAP_FRAMES I have the latest version of libpcap from lbl installed and recompiled snort with --with-libcap-dir=/usr/local/lib... Any ideas? Russell ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 2.8.5.3 and PCAP_FRAMES Russell Fulton (May 11)
- Re: snort 2.8.5.3 and PCAP_FRAMES Joel Esler (May 12)
- Re: snort 2.8.5.3 and PCAP_FRAMES Russ Combs (May 12)
- Re: snort 2.8.5.3 and PCAP_FRAMES Russell Fulton (May 17)
- Re: snort 2.8.5.3 and PCAP_FRAMES Joel Esler (May 12)