Snort mailing list archives
Re: Dropped: 236694431 (64.559%) 64% packet loss
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 12 Jun 2009 15:27:11 -0400
Also, what's the CPU and RAM on the box? How is stream5 and frag3 configured? You should also upgrade to the 2.8.4 series, it has significant performance improvements in the detection engine. Marty On Fri, Jun 12, 2009 at 3:05 PM, Joel Esler<jesler () sourcefire com> wrote:
On Fri, Jun 12, 2009 at 2:44 PM, Pedro Marinho<pppmarinho () gmail com> wrote:Hello Gentlemen, I am having some Dropped packet problems here with snort. I already did change the search method to lowmem but i am still loosing packets.. i did run snort for about 4405.825615 seconds and the traffic here is about 210976.40 kbits/sec is 4405.825615 seconds a short time to run snort ? Is there something i've got to do in snort.conf to solve this matter?Possibly, what is your output method? That's probably a good starting point for us to ask. joeli am watching traffic at eth2 it is a 06:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5721 Gigabit Ethernet PCI Express (rev 21) Subsystem: Dell Unknown device 023c Flags: bus master, fast devsel, latency 0, IRQ 218 Memory at dfef0000 (64-bit, non-prefetchable) [size=64K] Capabilities: [48] Power Management version 2 Capabilities: [50] Vital Product Data Capabilities: [58] Message Signalled Interrupts: Mask- 64bit+ Queue=0/3 Enable+ Capabilities: [d0] Express Endpoint IRQ 0 Capabilities: [100] Advanced Error Reporting Capabilities: [13c] Virtual Channel Capabilities: [160] Device Serial Number d0 Capabilities: [16c] Power Budgeting //--------------------------------------------------------------------------------------------------------- --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.0.1 (Build 72) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 7.2 2007-06-19 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build 11> Preprocessor Object: SF_SMTP Version 1.0 <Build 7> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> Preprocessor Object: SF_DNS Version 1.0 <Build 2> Not Using PCAP_FRAMES *** Caught Int-Signal Run time prior to being shutdown was 4405.825615 seconds =============================================================================== Packet Wire Totals: Received: 366635284 Analyzed: 129940618 (35.441%) Dropped: 236694431 (64.559%) Outstanding: 235 (0.000%) =============================================================================== Breakdown by protocol (includes rebuilt packets): ETH: 130192920 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 130114384 (99.940%) IP4disc: 7 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 52209130 (40.101%) UDP: 77359186 (59.419%) ICMP: 290867 (0.223%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 82 (0.000%) FRAG 6: 0 (0.000%) ARP: 10851 (0.008%) EAPOL: 0 (0.000%) ETHLOOP: 610 (0.000%) IPX: 0 (0.000%) OTHER: 69983 (0.054%) DISCARD: 7 (0.000%) InvChkSum: 30 (0.000%) Upconvt: 0 (0.000%) Up fail: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 252286 (0.194%) Total: 130192920 =============================================================================== Action Stats: ALERTS: 23 LOGGED: 23 PASSED: 0 =============================================================================== Frag3 statistics: Total Fragments: 82 Frags Reassembled: 16 Discards: 6 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 FragTrackers Added: 63 FragTrackers Dumped: 63 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 79 Frag Nodes Deleted: 79 =============================================================================== Stream5 statistics: Total sessions: 1628891 TCP sessions: 1345654 UDP sessions: 283237 ICMP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 1359004 TCP StreamTrackers Deleted: 1359004 TCP Timeouts: 1196 TCP Overlaps: 235910 TCP Segments Queued: 2186861 TCP Segments Released: 2186861 TCP Rebuilt Packets: 492515 TCP Segments Used: 703168 TCP Discards: 35617053 UDP Sessions Created: 327597 UDP Sessions Deleted: 327597 UDP Timeouts: 44360 UDP Discards: 0 Events: 0 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 14653 GET methods: 106636 Post parameters extracted: 5944 Unicode: 0 Double unicode: 0 Non-ASCII representable: 34925 Base 36: 0 Directory traversals: 1 Extra slashes ("//"): 9926 Self-referencing paths ("./"): 1 Total packets processed: 35374294 =============================================================================== Snort exiting ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974 ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Martin Roesch (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- <Possible follow-ups>
- Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)