Re: Snort dropping packets.

[Phil Wood <cpw () lanl gov>]

On Mon, Jul 15, 2002 at 12:16:17AM +0200, Emilio Mira wrote:
> I installed last libpcap version (0.7.1) from tcpdump.org after reading in
> the list that redhat libpcap was broken. 

Are you sure that when snort compiles and loads it is using both:

  -l<path_to_libpcap-0.7.1>

when compiling all the snort objects,

and

  -L<path_to_libpcap-0.7.1>

when loading the objects to create the snort executable?

I've had the problem before when I thought ./configure had built a 
Makefile properly, it was actually getting the linux release version
rather than the libpcap I had compiled from tcpdump.org.

> Is this problem caused by Snort, libpcap or kernel?. Snort reads packets
> from libpcap, so whether Snort says that is processing all packets (0%
> drops), must be because libpcap or kernel is dropping packets. So, how 
> could I know which one is dropping packets?.

Have you looked at /proc/net/dev and found any errors.  In my case the
device never has a problem.  Lost packets are a result of the application
not reading (vi libpcap) what the kernel has to offer in a timely manner.  On a 
loaded link, you can expect packet loss because of the multitude of rules
which require extensive pattern matching.  On weekends, I don't have
a problem.  During the week there is enough traffic to around 0.5 percent
packetloss (for the 24 hour period).  If you see errors in /proc/net/dev, they
will not be reflected in the data you get when snort calls pcap_stats.
And, you should consider upgrading the hardware device to eliminate the
problem.

> On Sun, 14 Jul 2002, Matt Kettler wrote:
>
> > Ok, I'll take a stab at a response.
> >
> > Don't use the libpcap that is supplied by RedHat if you want numbers you 
> > can trust. From what I've read, they decided to change the libpcap 
> > interfaces a bit and broke some things along the way in the process of 
> > creating a "turbo" mode or something of the like. I recall a lot of 
> > grumbling on the list about this, and I think snort includes fixes for the 
> > redhat changes, but I wouldn't trust them to work 100% since a large number 
> > of people have observed the same problems as you and reported them to the 
> > snort list.
> >
> > Try the official release of libpcap from tcpdump.org and see if you still 
> > have problems. (note that 0.6.2 is the latest versioned release)
> >
> >
> > At 04:25 PM 7/14/2002 +0200, Emilio Mira wrote:
> >
> > > I sent this mail few days ago, but I hadn't received any reply. It's about
> > > packets dropped by Snort.
> > >
> > > Anyone could give me a response?.
> > >
> > > Thank you.
> > >
> > > ---------- Forwarded message ----------
> > > Date: Thu, 11 Jul 2002 12:10:20 +0200 (CEST)
> > > From: Emilio Mira <emial () alumni uv es>
> > > To: snort-users () lists sourceforge net
> > > Subject: Snort dropping packets.
> > >
> > >
> > > Hi all,
> > >
> > > I'm meassuring Snort dropped packets with 'kill -USR1 <pid>' and
> > > apparently Snort is working without drops. But if I get received packets
> > > by the interface from /proc/net/dev and processed packets from Snort with
> > > 'kill -USR1 <pid>', there are diferences (see JPG attached).
> > >
> > > Why doesn't USR1 shows me real dropped packets?.
> > >
> > > I'm using Snort 1.8.7 with default configuration and libpcap 0.7.1 on
> > > RH7.2. and an ATM interface.
> > >
> > > Thanks.
> > >
> > > --
> > > Emilio Mira

-- 
Phil Wood, cpw () lanl gov



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users