Snort mailing list archives
Re: Snort inline extremely slow packet forwarding
From: Hussein Bahaidarah <husseinb () gmail com>
Date: Sat, 16 Jul 2011 00:30:55 +0300
Hi Michael, I believe a an L2 loop will form. I have tested it and found that the switch (Cisco) disabled the port: Jul 16 00:18:52: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet1/0/23. Jul 16 00:18:52: %PM-4-ERR_DISABLE: loopback error detected on Gi1/0/23, putting Gi1/0/23 in err-disable state Jul 16 00:18:53: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/23, changed state to down Jul 16 00:18:54: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23, changed state to down Loopback error A loopback error occurs when the keepalive packet is looped back to the port that sent the keepalive. The switch sends keepalives out all the interfaces by default. A device can loop the packets back to the source interface, which usually occurs because there is a logical loop in the network that the spanning tree has not blocked. The source interface receives the keepalive packet that it sent out, and the switch disables the interface (errdisable). This message occurs because the keepalive packet is looped back to the port that sent the keepalive: %PM-4-ERR_DISABLE: loopback error detected on Gi4/1, putting Gi4/1 in err-disable state Keepalives are sent on all interfaces by default in Cisco IOS Software Release 12.1EA-based software. In Cisco IOS Software Release 12.2SE-based software and later, keepalives are not sent by default on fiber and uplink interfaces. For more information, refer to Cisco bug ID CSCea46385 (registered customers only) . The suggested workaround is to disable keepalives and upgrade to Cisco IOS Software Release 12.2SE or later. On Jul 15, 2011, at 11:24 PM, Michael Altizer wrote: I don't believe it should cause any sort of internal loop, but I have never tested it. Having additional Snort instances on the same set of interfaces should be fine as long as the others are not in inline mode. The AFPacket DAQ module cannot know about other instances running on the same traffic, so it would result in one copy of the packet being transmitted per inline copy of Snort on an interface pair. On 07/15/2011 03:25 PM, Hussein Bahaidarah wrote:
So, would that create an internal loop? What about if I want to sun another instance of Snort with the same pair of interfaces, will it work? or a loop will take place? Regards, On Jul 15, 2011, at 10:14 PM, Michael Altizer wrote: Correct. The inline mode of the AFPacket DAQ module handles all of the packet forwarding. By putting those interfaces in a bridge, you are retransmitting every packet a second time in addition to all of the other overhead associated with Linux bridges. On 07/15/2011 03:05 PM, Hussein Bahaidarah wrote:Yes, I am bridging them in linux. This is what assumed should be done. Do you imply that I should break the bridge? will snort do the bridging instead? Eth1 is not used and not connected to any thing. [root@IPS ~]# brctl show bridge name bridge id STP enabled interfaces br0 8000.0010184d122c no eth3 eth2 Thanks, On Jul 15, 2011, at 9:50 PM, Michael Altizer wrote: On 07/15/2011 02:41 PM, Hussein Bahaidarah wrote:Thanks Rmkml for help, I found a work around and I don't understand how and why it did work. First, let me explain my configuration: eth2 and eth3 are bridged and snort IP should run on them eth1 is not used when I use: "snort -N -K none -k notcp -c rules/inline -A console --daq afpacket -i eth3:eth2 -Q" the slowness problem appear my work around is to use " snort -N -K none -k notcp -c rules/inline -A console --daq afpacket -i eth3:eth1 -Q ". This works fine though eth1 is not used!!A couple questions: What do you mean by "eth2 and eth3 are bridged"? You're not putting them into a Linux bridge (with brctl), right? Why is eth1 not being used in the second scenario?
------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)
- Message not available
- Re: Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)
- Re: Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)
- Re: Snort inline extremely slow packet forwarding Michael Altizer (Jul 15)
- Re: Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)
- Re: Snort inline extremely slow packet forwarding Michael Altizer (Jul 15)
- Re: Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)
- Re: Snort inline extremely slow packet forwarding Michael Altizer (Jul 15)
- Re: Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)
- Re: Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)
- Message not available
- Re: Snort inline extremely slow packet forwarding Hussein Bahaidarah (Jul 15)