Re: flexresp and kernel dropping packets.

[Erek Adams <erek () theadamsfamily net>]

On Mon, 12 Aug 2002, Brian F. Vaughan wrote:

>       I am currently running snort-1.8.7 on Linux 6.2 (Kernel 2.4.18). I
> configured snort with ./configure --enable-flexresp and everything compiled
> ok. I reviewed my rules and everything is ok with the rules. However when I
> start snort with snort -d -v, I notice that the kernel is dropping packets.
> Is this normal and has anyone seen this? Does it look like I'll have to
> recompile my kernel.

A few possible solutions about this:

        *  Update your kernel as you said.
        *  Stop using -d -v as options.  Snort has to write to STDOUT when you
do that, and writing to the screen takes a bit of time away from doing
anything else.  Use -b and post process the logs if your want to view them
onscreen.
        *  Consider a changing your NIC.  Intel Pro's seem to have some of the
least amount of packet drops (according to the list).
        *  Update libpcap to the most recent version from tcpdump.org.
        *  Check the snort-developers archives for some recent threads on
linux and libpcap.  (Search for Phil Wood, he's da man!)
        *  Rebuild the box as a *BSD.

Ok, ok, I was _just kidding_ with the last statement. ;-)

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users