Snort mailing list archives
RE: kernel dropping packets.
From: "Moyer, Shawn" <SMoyer () rgare com>
Date: Tue, 30 Jul 2002 09:12:44 -0500
wtf? 657.242% ? How can you drop more than 100% ? I wonder if this is something funky w/ your e-net driver or pcap libs? Or maybe even the packet loss counter itself? This may be something to post over on snort-dev. You also generated over 1K alerts, which makes the case for tuning your ruleset a bit more. That's a lot of data to wade through, and I'll lay odds a lot of those are falses or stuff you're not interested in. Where is the box's placement in relation to the rest of your network? Span port on a core switch? Is there any possibility of breaking it out by VLAN tags or segments, maybe hanging a couple of additional nics off the box? --shawn -----Original Message----- From: Virgil [mailto:virgil () webcentral com] Sent: Tuesday, 30 July, 2002 01:38 AM To: 'Moyer, Shawn' Subject: RE: [Snort-users] kernel dropping packets. So this is bad then: Jul 30 16:36:34 beastie snort: ============================================================================ === Jul 30 16:36:34 beastie snort: Snort analyzed 1939463424 out of 422643012 packets, Jul 30 16:36:34 beastie snort: The kernel dropped -1517180408(657.242%) packets Jul 30 16:36:34 beastie snort: Breakdown by protocol: Action Stats: Jul 30 16:36:34 beastie snort: TCP: 1823649555 (431.487%) ALERTS: 1255166 Jul 30 16:36:34 beastie snort: UDP: 91051690 (21.543%) LOGGED: 1255166 Jul 30 16:36:34 beastie snort: ICMP: 11718943 (2.773%) PASSED: 0 Jul 30 16:36:34 beastie snort: ARP: 4490650 (1.063%) Jul 30 16:36:34 beastie snort: IPv6: 0 (0.000%) Jul 30 16:36:34 beastie snort: IPX: 0 (0.000%) Jul 30 16:36:34 beastie snort: OTHER: 8678010 (2.053%) Jul 30 16:36:34 beastie snort: DISCARD: 34 (0.000%) Jul 30 16:36:34 beastie snort: ============================================================================ === Jul 30 16:36:34 beastie snort: Fragmentation Stats: Jul 30 16:36:34 beastie snort: Fragmented IP Packets: 301074 (0.071%) Jul 30 16:36:34 beastie snort: Fragment Trackers: 204480 Jul 30 16:36:34 beastie snort: Rebuilt IP Packets: 66603 Jul 30 16:36:34 beastie snort: Frag elements used: 145628 Jul 30 16:36:34 beastie snort: Discarded(incomplete): 0 Jul 30 16:36:34 beastie snort: Discarded(timeout): 204435 Jul 30 16:36:34 beastie snort: Frag2 memory faults: 0 Jul 30 16:36:34 beastie snort: ============================================================================ === Jul 30 16:36:34 beastie snort: TCP Stream Reassembly Stats: Jul 30 16:36:34 beastie snort: TCP Packets Used: 0 (0.000%) Jul 30 16:36:34 beastie snort: Stream Trackers: 0 Jul 30 16:36:34 beastie snort: Stream flushes: 0 Jul 30 16:36:34 beastie snort: Segments used: 0 Jul 30 16:36:34 beastie snort: Stream4 Memory Faults: 0 Jul 30 16:36:34 beastie snort: ============================================================================ === ?? Virgil virgil () webcentral com ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- kernel dropping packets. Jonathan (Jul 29)
- Re: kernel dropping packets. Roelof JT Jonkman (Jul 29)
- <Possible follow-ups>
- RE: kernel dropping packets. Moyer, Shawn (Jul 29)
- RE: kernel dropping packets. Moyer, Shawn (Jul 30)
- RE: kernel dropping packets. Moyer, Shawn (Jul 31)
- Re: kernel dropping packets. Chris Keladis (Jul 31)
- RE: kernel dropping packets. Virgil (Jul 31)