next up previous contents
Next: NFQ Up: Packet Acquisition Previous: PCAP   Contents

AFPACKET

afpacket functions similar to the memory mapped pcap DAQ but no external library is required: 

    ./snort --daq afpacket -i <device>
            [--daq-var buffer_size_mb=<#MB>]
            [--daq-var debug]

If you want to run afpacket in inline mode, you must set device to one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon like this: 

    eth0:eth1

or this: 

    eth0:eth1::eth2:eth3

By default, the afpacket DAQ allocates 128MB for packet memory. You can change this with: 

    --daq-var buffer_size_mb=<#MB>

Note that the total allocated is actually higher, here's why. Assuming the default packet memory with a snaplen of 1518, the numbers break down like this:

1.
The frame size is 1518 (snaplen) + the size of the AFPacket header (66 bytes) = 1584 bytes.

2.
The number of frames is 128 MB / 1518 = 84733.

3.
The smallest block size that can fit at least one frame is 4 KB = 4096 bytes @ 2 frames per block.

4.
As a result, we need 84733 / 2 = 42366 blocks.

5.
Actual memory allocated is 42366 * 4 KB = 165.5 MB.

next up previous contents
Next: NFQ Up: Packet Acquisition Previous: PCAP   Contents
Eugene Misnik 2013-05-08