[Bro-Dev] snaplen and drops

Lothar Braun braun at net.in.tum.de
Thu Nov 3 05:58:51 PDT 2011


On Nov 2, 2011, at 2:51 AM, Martin Holste wrote:

>> I'm a bit puzzled. If I understand things correctly, libpcap-1.0.0 uses AF_PACKET by default (after checking that MMAP support is available in the running kernel).
> I don't think that's how it works, but I'm not a kernel-hacking guru.
> The reason I'm pretty sure it doesn't work that way is that both Snort
> and Suricata IDS include separate data acquisition code for libpcap
> and af_packet, which is nonsensical if you can get af_packet via
> libpcap natively.  I did a bit of Googling and cannot find anything
> definitive one way or the other.

I had a quick look at the libpcap (1.2.0) and the libdaq (0.6.2) code. It seems to me that both of them perform basically the same steps for packet acquisition.

Both create a socket PF_PACKET socket, both request a shared memory area on the capturing rx_ring. And both perform similar operations during packet acquisition:

while (running) {
	if (packet_in_buffer) {
	} else {

So if you use libpcap >= 1.0.0, you should have AF_PACKET support by default. Snort/Suricata probably implemented separate AF_PACKET support for systems that ship libpcap < 1.0.0. 

Best regards,

Lothar Braun
Chair for Network Architectures and Services (I8)
Department of Informatics
Technische Universität München
Boltzmannstr. 3, 85748 Garching bei München, Germany
Phone:  +49 89 289-18010       Fax: +49 89 289-18033
E-mail: braun at net.in.tum.de 

More information about the bro-dev mailing list