Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: packet loss

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 28 Sep 2004 13:34:56 -0400
At 10:13 AM 9/28/2004, Larry Wichman wrote:
In the course of my testing of Snort I have averaged about 40% packet loss. I am running Snort on Fedora. The segment I am monitoring is 100 mb and is very busy. Does anyone have any recommendations for tuning Snort to not drop so many packets? Is there any recommendations for hardware? The CPU is running at about 40% and the memory looks fine. 



First, I'd make sure your setup is reasonably optimized.
What logging modes are you using? switching to tcpdump or unified packet logging is a HUGE improvement from the default plain text-mode logging. 


Then some simple low-cost hardware checks:
Are you digging into your swap partition, or do you have sufficient ram?
What kind of NIC are you using? A Realtek RT8139 is a popular, but very inefficient network controller. Look into something with more efficient DMA alignments (Dec tulip, Intel eepro, etc). The newer gigabit realtek 8169 part is fairly reasonable from what I hear, but I've not tested it. 




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: