Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sensor drops packets ?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 16 May 2005 14:28:07 -0400
Juan Fernandez wrote:

Hi,
 
One of my senosers which is located in the dmz an listens to the treffoc
there seems to not capturing all the data. I use AAnval to see the
alerts and there I noticed that I see just packets that the source ip is
my network. ( this is a loaded dmaz with many web servers. so I worked
on this sensor with tcpdump and there I saw in the last line that:
26152 packets received by filter
23806 packets dropped by kernel
 
why is that ? 
the nic operates an 100 mb full duplex...



Generally that means your machine is too slow to keep up with the rate packets
are coming in.

A "dropped packet" from a snort/tcpdump perspective means that a packet got
clobbered before whatever application you are running was able to read it from
the pcap buffers.

One thing that greatly helps with this is to set your system up with Phil Wood's
 ring-buffered pcap library. This helps smooth out some of the bumps in packet
rate by setting up a buffer that can hold multiple packets.


From there, if even tcpdump is still dropping packets, it's probably time for

some hardware upgrades. Get a good NIC (at least make sure you're not using one
of those Realtek 10/100 NICs with their inefficient alignment requirements).
Check to see if you're using a lot of swap and bump up your ram if you are, if
not, go for CPU power.

If your snort box is also doing lots of other things (mailserver, dns, firewall,
webserver, and snort all in one box gets a bit hefty) you might consider moving
snort, or some of the other tasks, to a less heavily loaded box.






-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: