Snort mailing list archives
Re: Snort 2.0.5 dropping packets
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 19 Dec 2003 14:00:06 -0500
At 12:03 PM 12/19/2003, Sheahan, Paul wrote:
Now I built a new Snort server on beefier hardware running RHLinux 8.0 and Snort 2.0.5 and a gig NIC. The network it is on is running at 1000mb/s (gig) though traffic levels are the same as the old network (35mb/s). Yet Snort drops .2% (point 2 percent) of traffic on the default ruleset and when I add my custom rule file (which has a lot of content based rules), Snort drops massive amounts of packets (like 30 to 40%!)Any ideas why this would happen when it didn't happen on the lower end box running at 100mb/s? Any tips on how I can avoid this? I confirmed that the gig nic is running at 1000mb/s as it should be and the port on the switch it is plugged into is forced at 1000mb/s.
Well, let's put it this way... 35mbps is the *average* thruput.. but that has little or nothing to do with packet drop rate..
What most affects packet drop rate is the minimum possible time between two packets. This is largely dependent on your peak wire-rate, not your average rate.
By switching to gigabit ethernet, even with only 35mbps flowing through it on average, you've made it possible for two packets to be 1/10th the distance apart in time. This is because routers can queue packets, and send a small burst of them at once.. The average is still 35mbps, but the instantaneous rate is gigabit, and that can go on until the router exhausts whatever pile of packets it has queued up.
TCP streams also tend to have this burstish behavior as the come out of the source machine. TCP has a rate limiter, but once an ack comes in and opens up the window, it can crank out a bunch of segments until the window is exhausted or one of the rate limiting systems kicks in (congestion avoidance and/or slow start).
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.0.5 dropping packets Sheahan, Paul (Dec 19)
- Message not available
- Re: Snort 2.0.5 dropping packets Matt Kettler (Dec 19)
- Message not available