>>>>> "powermed" == powermed <[EMAIL PROTECTED]> writes:
powermed> Dear Sir, I have recently setup an open source sensor to place
powermed> in front of my firewall. I am currently running snort and
powermed> tcpdump. the man page recommends against run tcpdump with -s
powermed> 1500 due to packet
powermed> loss. I am lost here, pls advise why this logical approach is
powermed> not recommended as it seems right to have entire packet for
powermed> analysis when the sensor sends an alert?
Depending upon your OS, you may run out of buffers (and/or disk space)
faster with -s 1500 than with the default. But, if this is a sensor, then
this is probably worth it.
Depending upon your hardware and network speeds, you may not be able to
keep up, regardless of settings. Certainly a PII-400 can capture 10Mb/s
traffic though.
] Train travel features AC outlets with no take-off restrictions|gigabit is no[
] Michael Richardson, Solidum Systems Oh where, oh where has|problem with[
] [EMAIL PROTECTED] www.solidum.com the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
