1.5 Packet Acquisition

Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O. The DAQ replaces direct calls to libpcap functions with an abstraction layer that facilitates operation on a variety of hardware and software interfaces without requiring changes to Snort. It is possible to select the DAQ type and mode when invoking Snort to perform pcap readback or inline operation, etc.


Some network cards have features which can affect Snort. Two of these features are named "Large Receive Offload" (lro) and "Generic Receive Offload" (gro). With these features enabled, the network card performs packet reassembly before they're processed by the kernel.

By default, Snort will truncate packets larger than the default snaplen of 1518 bytes. In addition, LRO and GRO may cause issues with Stream target-based reassembly. We recommend that you turn off LRO and GRO. On linux systems, you can run:

    $ ethtool -K eth1 gro off
    $ ethtool -K eth1 lro off

1.5.1 Configuration

Assuming that you did not disable static modules or change the default DAQ type, you can run Snort just as you always did for file readback or sniffing an interface. However, you can select and configure the DAQ when Snort is invoked as follows:

    ./snort \
        [--daq <type>] \
        [--daq-mode <mode>] \
        [--daq-dir <dir>] \
        [--daq-var <var>]

    config daq: <type>
    config daq_dir: <dir>
    config daq_var: <var>
    config daq_mode: <mode>

    <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
    <mode> ::= read-file | passive | inline
    <var> ::= arbitrary <name>=<value> passed to DAQ
    <dir> ::= path where to look for DAQ module so's

The DAQ type, mode, variable, and directory may be specified either via the command line or in the conf file. You may include as many variables and directories as needed by repeating the arg / config. DAQ type may be specified at most once in the conf and once on the command line; if configured in both places, the command line overrides the conf.

If the mode is not set explicitly, -Q will force it to inline, and if that hasn't been set, -r will force it to read-file, and if that hasn't been set, the mode defaults to passive. Also, -Q and -daq-mode inline are allowed, since there is no conflict, but -Q and any other DAQ mode will cause a fatal error at start-up.

Note that if Snort finds multiple versions of a given library, the most recent version is selected. This applies to static and dynamic versions of the same library.

    ./snort --daq-list[=<dir>]
    ./snort --daq-dir=<dir> --daq-list

The above commands search the specified directories for DAQ modules and print type, version, and attributes of each. This feature is not available in the conf. Snort stops processing after parsing -daq-list so if you want to add one or more directories add -daq-dir options before -daq-list on the command line. (Since the directory is optional to -daq-list, you must use an = without spaces for this option.)

1.5.2 pcap

pcap is the default DAQ. if snort is run w/o any DAQ arguments, it will operate as it always did using this module. These are equivalent:

    ./snort -i <device>
    ./snort -r <file>

    ./snort --daq pcap --daq-mode passive -i <device>
    ./snort --daq pcap --daq-mode read-file -r <file>

You can specify the buffer size pcap uses with:

    ./snort --daq pcap --daq-var buffer_size=<#bytes>

Note that the pcap DAQ does not count filtered packets.


afpacket functions similar to the memory mapped pcap DAQ but no external library is required:

    ./snort --daq afpacket -i <device>
            [--daq-var buffer_size_mb=<#MB>]
            [--daq-var debug]

If you want to run afpacket in inline mode, you must set device to one or more interface pairs, where each member of a pair is separated by a single colon and each pair is separated by a double colon like this:


or this:


By default, the afpacket DAQ allocates 128MB for packet memory. You can change this with:

    --daq-var buffer_size_mb=<#MB>

Note that the total allocated is actually higher, here's why. Assuming the default packet memory with a snaplen of 1518, the numbers break down like this:

The frame size is 1518 (snaplen) + the size of the AFPacket header (66 bytes) = 1584 bytes.

The number of frames is 128 MB / 1518 = 84733.

The smallest block size that can fit at least one frame is 4 KB = 4096 bytes @ 2 frames per block.

As a result, we need 84733 / 2 = 42366 blocks.

Actual memory allocated is 42366 * 4 KB = 165.5 MB.

1.5.4 NFQ

NFQ is the new and improved way to process iptables packets:

    ./snort --daq nfq \
        [--daq-var device=<dev>] \
        [--daq-var proto=<proto>] \
        [--daq-var queue=<qid>] \
	[--daq-var queue_len=<qlen>]

    <dev> ::= ip | eth0, etc; default is IP injection
    <proto> ::= ip4 | ip6 | ip*; default is ip4
    <qid> ::= 0..65535; default is 0
    <qlen> ::= 0..65535; default is 0

Notes on iptables can be found in the DAQ distro README.

1.5.5 IPQ

IPQ is the old way to process iptables packets. It replaces the inline version available in pre-2.9 versions built with this:

    ./configure --enable-inline / -DGIDS

Start the IPQ DAQ as follows:

    ./snort --daq ipq \
        [--daq-var device=<dev>] \
        [--daq-var proto=<proto>] \

    <dev> ::= ip | eth0, etc; default is IP injection
    <proto> ::= ip4 | ip6; default is ip4

1.5.6 IPFW

IPFW is available for BSD systems. It replaces the inline version available in pre-2.9 versions built with this:

    ./configure --enable-ipfw / -DGIDS -DIPFW

This command line argument is no longer supported:

    ./snort -J <port#>

Instead, start Snort like this:

    ./snort --daq ipfw [--daq-var port=<port>]

    <port> ::= 1..65535; default is 8000

* IPFW only supports ip4 traffic.

1.5.7 Dump

The dump DAQ allows you to test the various inline mode features available in 2.9 Snort like injection and normalization.

    ./snort -i <device> --daq dump
    ./snort -r <pcap> --daq dump

By default a file named inline-out.pcap will be created containing all packets that passed through or were generated by snort. You can optionally specify a different name.

    ./snort --daq dump --daq-var file=<name>

dump uses the pcap daq for packet acquisition. It therefore does not count filtered packets.

Note that the dump DAQ inline mode is not an actual inline mode. Furthermore, you will probably want to have the pcap DAQ acquire in another mode like this:

    ./snort -r <pcap> -Q --daq dump --daq-var load-mode=read-file
    ./snort -i <device> -Q --daq dump --daq-var load-mode=passive

1.5.8 Statistics Changes

The Packet Wire Totals and Action Stats sections of Snort's output include additional fields:

The action stats show "blocked" packets instead of "dropped" packets to avoid confusion between dropped packets (those Snort didn't actually see) and blocked packets (those Snort did not allow to pass).