Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Kernel Dropping Packets

From: "Arseneault, Thomas (HQP)" <thomas.arseneault () rhi com>
Date: Wed, 9 Mar 2005 12:21:29 -0800
Logging to the console is rate limited depending on the OS your using.
I've had Solaris machines with consoles limited to 9600 baud. I don't
recall right now how/where to check your console speed but that is what
I'd bet the problem is. You start writing to the console and the buffer
fills up and blocks the text steam causing the kernel to stop processing
packets, you processor is fine and more than capable of keeping up but
it's told not to. Files will write as fast as he platter and heads and
interface will let you. You might be able to increase the speed of the
console but you'll get to a point, early on, where the stream speeds by
too fast to be of any use and any thing interesting will flow past the
end of the scroll back buffer.

Tom Arseneault
Security Engineer 
Robert Half International

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of sEc nErD
Sent: Wednesday, March 09, 2005 8:58 AM
To: Snort-users () lists sourceforge net
Subject: [Snort-users] Kernel Dropping Packets

Hi ALL,
I stopped my snort ,Whenevr i use tcp dump on the sniffing interfaces to
write tot he console kernel drops 90% of the packets , but when i do tcp
dump to write to a file whatever ti sniffs it kernel drops zero packets.

Since writing to file requires less cpu usage and kernel doesnt drop
anything ,i am assuming my pcap is just working fine....but when we
write tot he console...the cpu cannot process info from pcap as
fast....??

But my proccessor info and others dont give me any resource crunch
unless am interpreting them wrong..please let me know what cud be the
issue thanks any help on that below are outputs of meminfo,cpu info and
top -c #cat cpuinfo
processor       : 1
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.00GHz
stepping        : 1
cpu MHz         : 2996.236
cache size      : 1024 KB
physical id     : 0
siblings        : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8
apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss
ht tm pbe pni monitor ds_cpl cid
bogomips        : 5980.16


#cat meminfo
cat meminfo
MemTotal:      1034584 kB
MemFree:        437504 kB
Buffers:        123512 kB
Cached:         222808 kB
SwapCached:          0 kB
Active:         336500 kB
Inactive:       172152 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:      1034584 kB
LowFree:        437504 kB
SwapTotal:     2040244 kB
SwapFree:      2040244 kB
Dirty:               4 kB
Writeback:           0 kB
Mapped:         155860 kB
Slab:            74228 kB
Committed_AS:   247860 kB
PageTables:       7340 kB
VmallocTotal:  3088376 

#top -c
Cpu(s):  0.2% us,  0.0% sy,  0.0% ni, 99.8% id,  0.0% wa,  0.0% hi,
0.0% si
Mem:   1034584k total,   597144k used,   437440k free,
  123512k buffers
Swap:  2040244k total,        0k used,  2040244k free,
  222808k cach




        
                
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: