Re: packet dropping question

[Mipam <mipam () ibb net>]

On Wed, Dec 12, 2001 at 10:14:41AM -0600, Mike Shaw wrote:
> I've been experiencing packet loss, and although I'm pushing the envelope 
> with the topology (I won't go into that yet), I'm a little curious as to 
> the symptoms.
>
> When I exclude all of my rules except two and run the process overnight, 
> snort reports very minimal packet loss.  When I start increasing the number 
> of rules, the packet loss gradually increases (seemingly in proportion, but 
> it's hard to tell).
>
> I was originally running on a PII 233, but upgraded to a PIII 500 to see if 
> it was just a horsepower issue.  It helped a little bit, but not much.
>
> Is the packet loss snort is reporting from the kernel, or is it from 
> snort?  If it is from snort, is the solution just a bigger processor? I 
> also disabled mysql logging while performing this test to see if barnyard 
> might be the solution but there was no real impact.

Have you tried the -b option from snort?
That way packet are logged in their native binary state.
It could help speeding up caturing traffic.
If you dont use it and for example use multiple times
the session command to monitor some plain text tcp sessions and other rules
which could cost more processing time you could experience the above
symptoms. I realize this doesnt explain the stuff you're experiencing,
but on the other hand we didnt see any of the rules you increase the rulebase
with whereafter the packetloss increases.
Bye,

Mipam.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users