How to check Snort DAQ modules

Snort DAQ modules are the packet acquisition layer that connects the sensor to packet captures, live interfaces, and inline paths. Checking the module list before sensor startup helps separate capture-layer problems from rule or Lua configuration errors.

Snort 3 uses LibDAQ 3, and the module list reports each module name, module version, supported operation mode, and privilege marker. The same binary can expose built-in modules and modules loaded from a DAQ directory, so the check should match the install layout used by the final runtime command.

The module check belongs after a source install, after changing DAQ library paths, and before writing a service command that names a module. A visible module list does not prove real traffic can pass through an interface, but it confirms that Snort can find the acquisition module the later packet-capture or inline command will request.

Related: How to install Snort on Ubuntu
Related: How to monitor a live interface with Snort
Related: How to run Snort in inline mode

Steps to check Snort DAQ modules:

  1. Check the installed Snort and LibDAQ versions. 
    $ snort -V
 
   ,,_     -*> Snort++ <*-
  o"  )~   Version 3.12.2.0
   ''''    By Martin Roesch & The Snort Team
           http://snort.org/contact#team
           Copyright (C) 2014-2026 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using DAQ version 3.0.27
           Using libpcap version 1.10.6 (64-bit time_t, with TPACKET_V3)
##### snipped #####

    Snort 3 should report a DAQ version in the 3.x line. A 2.x DAQ belongs to Snort 2 workflows.

  2. List the DAQ modules visible to the Snort binary. 
    $ snort --daq-list
Available DAQ modules:
afpacket(v7): live inline multi unpriv
 Variables:
  buffer_size_mb <arg> - Packet buffer space to allocate in megabytes
  debug - Enable debugging output to stdout
  fanout_type <arg> - Fanout loadbalancing method
  fanout_flag <arg> - Fanout loadbalancing option
  use_tx_ring - Use memory-mapped TX ring
bpf(v1): inline unpriv wrapper
dump(v5): inline unpriv wrapper
 Variables:
  file <arg> - PCAP filename to output transmitted packets to (default: inline-out.pcap)
  output <arg> - Set to none to prevent output from being written to file (deprecated)
  dump-rx [arg] - Also dump received packets to their own PCAP file (default: inline-in.pcap)
fst(v1): unpriv wrapper
 Variables:
  no_binding_verdicts - Disables enforcement of binding verdicts
  enable_meta_ack - Enables support for filtering bare TCP acks
  ignore_checksums - Ignore bad checksums while decoding
gwlb(v1): inline unpriv wrapper
pcap(v4): readback live multi unpriv
 Variables:
  buffer_size <arg> - Packet buffer space to allocate in bytes
  no_promiscuous - Disables opening the interface in promiscuous mode
  no_immediate - Disables immediate mode for traffic capture (may cause unbounded blocking)
  readback_timeout - Return timeout receive status in file readback mode
  rewind - Resume reading at start of file upon reaching end
savefile(v1): readback multi unpriv
trace(v1): inline unpriv wrapper
 Variables:
  file <arg> - Filename to write text traces to (default: inline-out.txt)

    The words after each module identify supported operation. live supports interface capture, readback supports packet files, and inline supports inline processing when the module and interface layout allow it.

  3. Repeat the module list with an explicit DAQ directory when the install uses a custom LibDAQ path. 
    $ snort --daq-dir /usr/local/lib/daq --daq-list
Available DAQ modules:
afpacket(v7): live inline multi unpriv
##### snipped #####
pcap(v4): readback live multi unpriv
savefile(v1): readback multi unpriv
trace(v1): inline unpriv wrapper

    Use the directory that contains DAQ module files for the current Snort 3 install. Include --daq-dir in later commands when the default module search path does not find the matching LibDAQ modules.

  4. Inspect DAQ-related command-line options before adding service flags. 
    $ snort --help-options daq
--daq <type> select packet acquisition module (default is pcap)
--daq-batch-size <size> set the DAQ receive batch size; default is 64 (1:)
--daq-dir <dir> tell snort where to find desired DAQ
--daq-list list packet acquisition modules available in optional dir, default is static modules only
--daq-mode <mode> select DAQ module operating mode (overrides automatic selection) (passive | inline | read-file)
--daq-var <name=value> specify extra DAQ configuration variable

    --daq-mode overrides automatic passive, inline, or read-file selection. Use --daq-var only for module-specific values such as buffer, fanout, or output settings.

  5. Match the module line to the planned runtime mode. 
    pcap(v4): readback live multi unpriv
afpacket(v7): live inline multi unpriv
savefile(v1): readback multi unpriv

    Use pcap for pcap readback and passive interface tests. Use afpacket for Linux inline pairs only when the module line includes inline and the interface pair is approved for forwarding.

    Related: How to test Snort with pcap replay
    Related: How to monitor a live interface with Snort
    Related: How to run Snort in inline mode

  6. Validate the configuration with the DAQ flags that the final command will use. 
    $ sudo snort -c /usr/local/etc/snort/snort.lua --daq pcap -i enp1s0 -T
--------------------------------------------------
o")~   Snort++ 3.12.2.0
--------------------------------------------------
##### snipped #####
pcap DAQ configured to passive.
 
Snort successfully validated the configuration (with 0 warnings).
o")~   Snort exiting

    Replace enp1s0 with the actual sensor interface. Use -Q --daq afpacket -i enp1s0:enp2s0 -T only in a lab or approved inline path.

    Related: How to test Snort configuration