Snort mailing list archives
RE: 2.1.3rc1 Performance
From: "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Date: Thu, 20 May 2004 13:01:20 -0500
If you run snort on that interface... You can kill -USR1 <pid> and it will dump stats to syslog. I'd also make sure to run a few different tests. You can tell tcpreplay to replay the packets at a certain rate, or even at a certain multiplication of the original timing. I'd recommend doing it normal, doing it at twice the speed, and then doing it as fast as possible for each of the two pcaps. -----Original Message----- From: Gary_Portnoy () itginc com [mailto:Gary_Portnoy () itginc com] Sent: Thursday, May 20, 2004 11:10 AM To: Kreimendahl, Chad J Cc: snort-users () lists sourceforge net; Darren Webb Subject: RE: [Snort-users] 2.1.3rc1 Performance I'll know for sure tonight. I am capturing exactly 1 million packets with tcpdump. Tonight I'll connect two systems with a cross-over cable and run snort on one side with a stripped conf file and tcpreplay (Thanks Chad!) on the other side to dump out the packets. I'll run this with both versions and see what gets reported. If libpcap 0.7.2 keeps reporting 0 dropped, I'll try to increase the rate to see if there is a point when it actually reports anything.... -gary- ------------------------------------------- Gary Portnoy "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> 05/20/2004 11:24 AM To: "Darren Webb" <spyder007 () charter net>, <Gary_Portnoy () itginc com> cc: <snort-users () lists sourceforge net> Subject: RE: [Snort-users] 2.1.3rc1 Performance The problem isn't freebsd, as far as anyone can tell. The problem appears to be with libpcap 0.8.3. Using 0.7.2 resolves this reporting of dropped packets problem. At this point I'm not completely sure that 0.8.3 is actually dropping packets, but may just be reporting drops when there are none. -----Original Message----- From: Darren Webb [mailto:spyder007 () charter net] Sent: Wednesday, May 19, 2004 11:55 PM To: Gary_Portnoy () itginc com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] 2.1.3rc1 Performance We recently switched from Redhat based sensors to FreeBSD and noticed an alarming jump in dropped packets as well. You can also try this in addition to perfmon. (FreeBSD 5.2.1 Snort 2.1.2 Libpcap 0.8.3) Ps aux | grep snort Kill -USR1 <pid> Tail -100 /var/log/messages (Of course, your commands will vary somewhat on Solaris.) The output will show stats from when the Snort session was started. You can then check the frag2 and stream4 preprocessors for possible memory faults and discarded packets. We were seeing 40% to 80% packet loss at times and by giving these preprocessors extra memory and defining the TTLs better in the snort.conf file we are now at 1% or lower. Hope this helps some. Darren -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+- This message is for the named person's use only. This communication is for informational purposes only and has been obtained from sources believed to be reliable, but it is not necessarily complete and its accuracy cannot be guaranteed. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. Moreover, this material should not be construed to contain any recommendation regarding, or opinion concerning, any security. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. ITG Inc. reserves the right to monitor and archive all electronic communications through its network. ITG Inc. Member NASD, SIPC -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+- ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: 2.1.3rc1 Performance, (continued)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Dirk Geschke (May 19)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)
- RE: 2.1.3rc1 Performance Darren Webb (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance John Creegan (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 19)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance snort user (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)
- RE: 2.1.3rc1 Performance Kreimendahl, Chad J (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 20)
- RE: 2.1.3rc1 Performance Gary_Portnoy (May 19)