PF ring support in argus
Carter Bullard
carter at qosient.com
Fri Oct 12 10:12:23 EDT 2007
Hey Russell,
I looked around, and I don't think there is anything that argus needs
to do
for you to have it use a pf_ring as a packet source.
Peter's been using rings for a long time, and I don't think he has had
to make any argus changes? You do need to make some kernel changes
but I don't think argus needs to know about that.
Carter
On Oct 12, 2007, at 8:59 AM, Carter Bullard wrote:
> Hey Russell,
> We don't have any specific support for ring buffers, so if we need
> to do something, we should do it now. I'll take a look at snort to
> see if they are doing something interesting.
>
> Carter
>
>
> On Oct 11, 2007, at 8:30 PM, Russell Fulton wrote:
>
>> ummm.... I meant to ask does argus use the ring buffer if /
>> PCAP_FRAMES/
>> is set?
>>
>> (to get snort to use it you need to set /PCAP_FRAMES/=32K )
>>
>> Russell
>>
>> Russell Fulton wrote:
>>> Carter Bullard wrote:
>>>
>>>> Hey Russell,
>>>> Does it crash? Or does it exit? Or does it work, but just
>>>> prints the
>>>> message?
>>>> Argus doesn't use PF_INET anywhere, so it maybe the libpcap
>>>> library?
>>>>
>>>>
>>> installed the newest MMAP version of libpcap from
>>> http://public.lanl.gov/cpw/ and all behaves as it should now.
>>>
>>> Russell
>>>
>>>
>>
>
More information about the argus
mailing list