{"id":49341759,"url":"https://github.com/redborder/daq","last_synced_at":"2026-04-27T04:04:58.343Z","repository":{"id":143877212,"uuid":"67993576","full_name":"redBorder/daq","owner":"redBorder","description":"Snort/Suricata DAQ module with DPDK patch","archived":false,"fork":false,"pushed_at":"2024-01-25T17:40:52.000Z","size":556,"stargazers_count":10,"open_issues_count":0,"forks_count":6,"subscribers_count":10,"default_branch":"master","last_synced_at":"2024-01-25T18:54:35.716Z","etag":null,"topics":["redborder","redborder-ng","snort"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/redBorder.png","metadata":{"files":{"readme":"README","changelog":"ChangeLog","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-09-12T09:06:27.000Z","updated_at":"2023-11-22T17:26:02.000Z","dependencies_parsed_at":"2024-01-25T19:03:57.886Z","dependency_job_id":null,"html_url":"https://github.com/redBorder/daq","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/redBorder/daq","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redBorder%2Fdaq","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redBorder%2Fdaq/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redBorder%2Fdaq/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redBorder%2Fdaq/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/redBorder","download_url":"https://codeload.github.com/redBorder/daq/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/redBorder%2Fdaq/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32321945,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["redborder","redborder-ng","snort"],"created_at":"2026-04-27T04:04:58.181Z","updated_at":"2026-04-27T04:04:58.330Z","avatar_url":"https://github.com/redBorder.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"Snort 2.9 introduces the DAQ, or Data Acquisition library, for packet I/O.  The\nDAQ replaces direct calls to libpcap functions with an abstraction layer that\nfacilitates operation on a variety of hardware and software interfaces without\nrequiring changes to Snort.  It is possible to select the DAQ type and mode\nwhen invoking Snort to perform pcap readback or inline operation, etc.  The\nDAQ library may be useful for other packet processing applications and the\nmodular nature allows you to build new modules for other platforms.\n\nThis README summarizes the important things you need to know to use the DAQ.\n\n\nBuilding the DAQ Library and DAQ Modules\n========================================\n\nThe DAQ is bundled with Snort but must be built first using these steps:\n\n    ./configure\n    make\n    sudo make install\n\nThis will build and install both static and dynamic DAQ modules.\n\nNote that pcap \u003e= 1.0.0 is required.  pcap 1.1.1 is available at the time\nof this writing and is recommended.\n\nAlso, libdnet is required for IPQ and NFQ DAQs.  If you get a relocation error\ntrying to build those DAQs, you may need to reinstall libdnet and configure it\nwith something like this:\n\n    ./configure \"CFLAGS=-fPIC -g -O2\"\n\nYou may also experience problems trying to find the dynamic dnet library\nbecause it isn't always named properly.  Try creating a link to the shared\nlibrary (identified by its .x or .x.y etc. extension) with the same name but\nwith \".so\" inserted as follows:\n\n    $ ln -s libdnet.1.1 libdnet.so.1.1\n    $ ldconfig -Rv /usr/local/lib 2\u003e\u00261 | grep dnet\n      Adding /usr/local/lib/libdnet.so.1.1\n\nAlternatively, you should be able to fix both issues as follows:\n\n    libtoolize --copy --force\n    aclocal -I config\n    autoheader\n    autoconf\n    automake --foreign\n\nWhen the DAQ library is built, both static and dynamic flavors will be\ngenerated.  The various DAQ modules will be built if the requisite headers and\nlibraries are available.  You can disable individual modules, etc. with options\nto configure.  For the complete list of configure options, run:\n\n    ./configure --help\n\n\nPCAP Module\n===========\n\npcap is the default DAQ.  If snort is run w/o any DAQ arguments, it will\noperate as it always did using this module.  These are equivalent:\n\n    ./snort -i \u003cdevice\u003e\n    ./snort -r \u003cfile\u003e\n\n    ./snort --daq pcap --daq-mode passive -i \u003cdevice\u003e\n    ./snort --daq pcap --daq-mode read-file -r \u003cfile\u003e\n\nYou can specify the buffer size pcap uses with:\n\n    ./snort --daq pcap --daq-var buffer_size=\u003c#bytes\u003e\n\n* The pcap DAQ does not count filtered packets. *\n\n\nAFPACKET Module\n===============\n\nafpacket functions similar to the pcap DAQ but with better performance:\n\n    ./snort --daq afpacket -i \u003cdevice\u003e\n            [--daq-var buffer_size_mb=\u003c#MB\u003e]\n            [--daq-var debug]\n\nIf you want to run afpacket in inline mode, you must craft the device string as\none or more interface pairs, where each member of a pair is separated by a\nsingle colon and each pair is separated by a double colon like this:\n\n    eth0:eth1\n\nor this:\n\n    eth0:eth1::eth2:eth3\n\nBy default, the afpacket DAQ allocates 128MB for packet memory.  You can change\nthis with:\n\n    --daq-var buffer_size_mb=\u003c#MB\u003e\n\nNote that the total allocated is actually higher, here's why.  Assuming the\ndefault packet memory with a snaplen of 1518, the numbers break down like this:\n\n* The frame size is 1518 (snaplen) + the size of the AFPacket header (66\n  bytes) = 1584 bytes.\n\n* The number of frames is 128 MB / 1518 = 84733.\n\n* The smallest block size that can fit at least one frame is  4 KB = 4096 bytes\n  @ 2 frames per block.\n\n* As a result, we need 84733 / 2 = 42366 blocks.\n\n* Actual memory allocated is 42366 * 4 KB = 165.5 MB.\n\nNOTE: Linux kernel version 2.6.31 or higher is required for the AFPacket DAQ\nmodule due to its dependency on both TPACKET v2 and PACKET_TX_RING support.\n\n\nNFQ Module\n==========\n\nNFQ is the new and improved way to process iptables packets:\n\n    ./snort --daq nfq \\\n        [--daq-var device=\u003cdev\u003e] \\\n        [--daq-var proto=\u003cproto\u003e] \\\n        [--daq-var queue=\u003cqid\u003e]\n\n    \u003cdev\u003e ::= ip | eth0, etc; default is IP injection\n    \u003cproto\u003e ::= ip4 | ip6 |; default is ip4\n    \u003cqid\u003e ::= 0..65535; default is 0\n\nThis module can not run unprivileged so ./snort -u -g will produce a warning\nand won't change user or group.\n\nNotes on iptables are given below.\n\n\nIPQ Module\n==========\n\nIPQ is the old way to process iptables packets.  It replaces the inline version\navailable in pre-2.9 versions built with this:\n\n    ./configure --enable-inline\n\nNote that layer 2 resets are not supported with the IPQ DAQ:\n\n    config layer2resets[: \u003cmac\u003e]\n\nStart the IPQ DAQ as follows:\n\n    ./snort --daq ipq \\\n        [--daq-var device=\u003cdev\u003e] \\\n        [--daq-var proto=\u003cproto\u003e] \\\n\n    \u003cdev\u003e ::= ip | eth0, etc; default is IP injection\n    \u003cproto\u003e ::= ip4 | ip6; default is ip4\n\nThis module can not run unprivileged so ./snort -u -g will produce a warning\nand won't change user or group.\n\nNotes on iptables are given below.\n\n\nIPFW Module\n===========\n\nIPFW is available for BSD systems.  It replaces the inline version available in\npre-2.9 versions built with this:\n\n    ./configure --enable-ipfw\n\nThis command line argument is no longer supported:\n\n    ./snort -J \u003cport#\u003e\n\nInstead, start Snort like this:\n\n    ./snort --daq ipfw [--daq-var port=\u003cport\u003e]\n\n    \u003cport\u003e ::= 1..65535; default is 8000\n\n* IPFW only supports ip4 traffic.\n\nNotes on FreeBSD and OpenBSD are given below.\n\n\nDump Module\n===========\n\nThe dump DAQ allows you to test the various inline mode features available in\n2.9 Snort like injection and normalization.\n\n    ./snort -i \u003cdevice\u003e --daq dump\n    ./snort -r \u003cpcap\u003e --daq dump\n\nBy default a file named inline-out.pcap will be created containing all packets\nthat passed through or were generated by snort.  You can optionally specify a\ndifferent name.\n\n    ./snort --daq dump --daq-var file=\u003cname\u003e\n\ndump uses the pcap daq for packet acquisition.  It therefore does not count\nfiltered packets (a pcap limitation).\n\nNote that the dump DAQ inline mode is not an actual inline mode.  Furthermore,\nyou will probably want to have the pcap DAQ acquire in another mode like this:\n\n    ./snort -r \u003cpcap\u003e -Q --daq dump --daq-var load-mode=read-file\n    ./snort -i \u003cdevice\u003e -Q --daq dump --daq-var load-mode=passive\n\n\nNetmap Module\n=============\n\nThe netmap project is a framework for very high speed packet I/O.  It is\navailable on both FreeBSD and Linux with varying amounts of preparatory\nsetup required.  Specific notes for each follow.\n\n    ./snort --daq netmap -i \u003cdevice\u003e\n            [--daq-var debug]\n\nIf you want to run netmap in inline mode, you must craft the device string as\none or more interface pairs, where each member of a pair is separated by a\nsingle colon and each pair is separated by a double colon like this:\n\n    em1:em2\n\nor this:\n\n    em1:em2::em3:em4\n\nInline operation performs Layer 2 forwarding with no MAC filtering, akin to the\nAFPacket module's behavior.  All packets received on one interface in an inline\npair will be forwarded out the other interface unless dropped by the reader and\nvice versa.\n\nIMPORTANT: The interfaces will need to be up and in promiscuous mode in order to\nfunction ('ifconfig em1 up promisc').  The DAQ module does not currently do\neither of these configuration steps for itself.\n\nFreeBSD\n-------\nIn FreeBSD 10.0, netmap has been integrated into the core OS.  In order to use\nit, you must recompile your kernel with the line\n\n    device netmap\n\nadded to your kernel config.\n\nLinux\n-----\nYou will need to download the netmap source code from the project's repository:\n\n    https://code.google.com/p/netmap/\n\nFollow the instructions on the project's homepage for compiling and installing\nthe code:\n\n    http://info.iet.unipi.it/~luigi/netmap/\n\nIt will involve a standalone kernel module (netmap_lin) as well as patching and\nrebuilding the kernel module used to drive your network adapters. The following\ndrivers are supported under Linux at the time of writing (June 2014):\n\n    e1000\n    e1000e\n    forcedeth\n    igb\n    ixgbe\n    r8169\n    virtio\n\nTODO:\n- Support for attaching to only a single ring (queue) on a network adapter.\n- Support for VALE and netmap pipes.\n\n\nNotes on iptables\n=================\n\nThese notes are just a quick reminder that you need to set up iptables to use\nthe IPQ or NFQ DAQs.  Doing so may cause problems with your network so tread\ncarefully.  The examples below are intentionally incomplete so please read the\nrelated documentation first.\n\nHere is a blog post by Marty for historical reference:\n\n    http://archives.neohapsis.com/archives/snort/2000-11/0394.html\n\nYou can check this out for queue sizing tips:\n\n    http://www.inliniac.net/blog/2008/01/23/improving-snort_inlines-nfq-performance.html\n\nYou might find useful IPQ info here:\n\n    http://snort-inline.sourceforge.net/\n\nUse this to examine your iptables:\n\n    sudo /sbin/iptables -L\n\nUse something like this to set up NFQ:\n\n    sudo /sbin/iptables\n        -I \u003ctable\u003e [\u003cprotocol stuff\u003e] [\u003cstate stuff\u003e]\n        -j NFQUEUE --queue-num 1\n\nUse something like this to set up IPQ:\n\n    sudo iptables -I FORWARD -j QUEUE\n\nUse something like this to \"disconnect\" snort:\n\n    sudo /sbin/iptables -D \u003ctable\u003e \u003crule pos\u003e\n\nBe sure to start Snort prior to routing packets through NFQ with iptables.\nSuch packets will be dropped until Snort is started.\n\nThe queue-num is the number you must give Snort.\n\nIf you are running on a system with both NFQ and IPQ support, you may\nexperience some start-up failures of the sort:\n\nThe solution seems to be to remove both modules from the kernel like this:\n\n    modprobe -r nfnetlink_queue\n    modprobe -r ip_queue\n\nand then install the module you want:\n\n    modprobe ip_queue\n\nor:\n\n    modprobe nfnetlink_queue\n\nThese DAQs should be run with a snaplen of 65535 since the kernel defrags the\npackets before queuing.  Also, no need to configure frag3.\n\n\nNotes on FreeBSD::IPFW\n======================\n\nCheck the online manual at:\n\n    http://www.freebsd.org/doc/handbook/firewalls-ipfw.html.\n\nHere is a brief example to divert icmp packets to Snort at port 8000:\n\nTo enable support for divert sockets, place the following lines in the\nkernel configuration file:\n\n    options IPFIREWALL\n    options IPDIVERT\n\n(The file in this case was: /usr/src/sys/i386/conf/GENERIC; which is platform\ndependent.)\n\nYou may need to also set these to use the loadable kernel modules:\n\n/etc/rc.conf:\nfirewall_enable=\"YES\"\n\n/boot/loader.conf:\nipfw_load=\"YES\"\nipdivert_load=\"YES\"\n\n$ dmesg | grep ipfw\nipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based\nforwarding disabled, default to deny, logging disabled\n\n$ kldload -v ipdivert\nLoaded ipdivert, id=4\n\n$ ipfw add 75 divert 8000 icmp from any to any\n00075 divert 8000 icmp from any to any\n\n$ ipfw list\n...\n00075 divert 8000 icmp from any to any\n00080 allow icmp from any to any\n...\n\n* Note that on FreeBSD, divert sockets don't work with bridges!\n\nPlease refer to the following articles for more information:\n\nhttps://forums.snort.org/forums/support/topics/snort-inline-on-freebsd-ipfw\nhttp://freebsd.rogness.net/snort_inline/\n\nNAT gateway can be used with divert sockets if the network environment is\nconducive to using NAT.\n\nThe steps to set up NAT with ipfw are as follows:\n\n1. Set up NAT with two interface em0 and em1 by adding\nthe following to /etc/rc.conf\n\ngateway_enable=\"YES\"\nnatd_program=\"/sbin/natd\"   # path to natd\nnatd_enable=\"YES\"           # Enable natd (if firewall_enable == YES)\nnatd_interface=\"em0\"       # Public interface or IP Address\nnatd_flags=\"-dynamic\"       # Additional flags\ndefaultrouter=\"\"\nifconfig_em0=\"DHCP\"\nifconfig_em1=\"inet 192.168.1.2 netmask 255.255.255.0\"\nfirewall_enable=\"YES\"\nfirewall_script=\"/etc/rc.firewall\"\nfirewall_type=\"simple\"\n\nHere em0 is connected to external network and em1 to host-only LAN.\n\n2. Add the following divert rules to divert packets to Snort above and\nbelow the NAT rule in the \"Simple\" section of /etc/rc.firewall.\n\n   ...\n   # Inspect outbound packets (those arriving on \"inside\" interface)\n   # before NAT translation.\n   ${fwcmd} add divert 8000 all from any to any in via ${iif}\n   case ${natd_enable} in\n   [Yy][Ee][Ss])\n       if [ -n \"${natd_interface}\" ]; then\n           ${fwcmd} add divert natd all from any to any via\n${natd_interface}\n       fi\n       ;;\n   esac\n   ...\n   # Inspect inbound packets (those arriving on \"outside\" interface)\n   # after NAT translation that aren't blocked for other reasons,\n   # after the TCP \"established\" rule.\n   ${fwcmd} add divert 8000 all from any to any in via ${oif}\n\n\nNotes on OpenBSD::IPFW\n======================\n\nOpenBSD supports divert sockets as of 4.7, so we use the ipfw DAQ.\n\nHere is one way to set things up:\n\n1.  Configure the system to forward packets:\n\n    $ sysctl net.inet.ip.forwarding=1\n    $ sysctl net.inet6.ip6.forwarding=1\n\n    (You can also put that in /etc/sysctl.conf to enable on boot.)\n\n2.  Set up interfaces\n\n    $ dhclient vic1\n    $ dhclient vic2\n\n3.  Set up packet filter rules:\n\n    $ echo \"pass out on vic1 divert-packet port 9000 keep-state\" \u003e rules.txt\n    $ echo \"pass out on vic2 divert-packet port 9000 keep-state\" \u003e\u003e rules.txt\n\n    $ pfctl -v -f rules.txt\n\n4.  Analyze packets diverted to port 9000:\n\n    $ ./snort --daq ipfw --daq-var port=9000\n\n* Note that on OpenBSD, divert sockets don't work with bridges!\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredborder%2Fdaq","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fredborder%2Fdaq","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fredborder%2Fdaq/lists"}