Snort mailing list archives

kernel dropping packets.

From: Jonathan <rakocy () cs wisc edu>
Date: Mon, 29 Jul 2002 18:51:36 -0500 (CDT)

Snort runs on OpenBSD 3.1.  It sits on a gigabit interface connected to
our gateway.  I'm wondering if anyone has had a similar problem with
dropped packets.  I'm assuming that missing 73% of packets is very bad and
nearly defeats the purpose of running snort.  The hardware is all
new..2ghz athlon and 1GB of memory.  This is how I run snort.

#!/bin/sh
/usr/local/bin/snort -d -i ti0 -l /usr/local/snort/logs -c
/usr/local/snort/rules/snort.conf -D

but when I run just this (snort -v) I loose the packets.  Is there any
way to check this information while snort is running via the top command I
use? Are dropped packets normal with snort just running in sniffer mode?
I ask because we had a break in a week ago and there were only portscans
that showed up in the logs but the system had definitly been compromised.

Thank you,

~Jonathan Rakocy
Computer Systems Lab

snort -v
Snort analyzed 492 out of 3465 packets, The kernel dropped
2532(73.074%) packets

Breakdown by protocol:                Action Stats:
    TCP: 492        (14.199%)         ALERTS: 0         
    UDP: 0          (0.000%)          LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
Snort received signal 2, exiting




-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

kernel dropping packets. Jonathan (Jul 29)
- Re: kernel dropping packets. Roelof JT Jonkman (Jul 29)
- <Possible follow-ups>
- RE: kernel dropping packets. Moyer, Shawn (Jul 29)
- RE: kernel dropping packets. Moyer, Shawn (Jul 30)
- RE: kernel dropping packets. Moyer, Shawn (Jul 31)
  - Re: kernel dropping packets. Chris Keladis (Jul 31)
- RE: kernel dropping packets. Virgil (Jul 31)