Snort mailing list archives

RE: kernel dropping packets.

From: Virgil <virgil () webcentral com>
Date: Wed, 31 Jul 2002 10:09:33 +1000

wtf? 657.242% ? How can you drop more than 100% ? I wonder if this is
something funky w/ your e-net driver or pcap libs? Or maybe


This was reported from a FreeBSD 4.6 STABLE box w/ an fxp card.
Last make world done on July 11.

$ cat /usr/src/contrib/libpcap/VERSION
0.7

Which is not 0.7.1 as per the www.tcpdump.org

even the packet
loss counter itself? This may be something to post over on snort-dev.


CC'd but it might bounce.

You also generated over 1K alerts, which makes the case for 
tuning your ruleset a bit more.


I've I drop the directory traversal web alerts, or at least make them
trigger on more than 2 .. it's a little better.

That's a lot of data to wade through, and

a lot of those are falses or stuff you're not interested in.


Some of them anyway.

Where is the box's placement in relation to the rest of your 
network? Span port on a core switch? Is there any possibility of breaking


yes.  SPAN port on one of the core L3 switches.  But this is just for 3
VLANs.  They happen to be 3 of the biggest VLANs, and equate to about 50% of
my traffic.

it out by VLAN tags or segments, maybe hanging a couple of additional nics

off the box?


Done that on a Linux box.  4 NICs being monitored by snort.  It's a 4 port
card, and one of the interfaces doesn't always come up after a reboot.  IRQ
problem.  6 NICs total in the box. (4 monitor, 1 management, 1 sql xover)

But I have an interrupt processing problem.

   procs                      memory    swap          io     system
cpu
 r  b  w   swpd   free   buff  cache  si  so    bi    bo   in    cs  us  sy
id
 1  0  1      0 1422624 105564 427584   0   0     0     0 26722   806  38
20  43
 1  0  1      0 1422408 105576 427584   0   0     0   131 26358   749  38
24  38
 1  0  1      0 1422268 105576 427584   0   0     0     0 26546   780  38
22  40
 1  0  1      0 1422128 105576 427584   0   0     0     0 25893   680  37
23  40
 1  0  1      0 1421988 105576 427584   0   0     0     0 25700   670  39
20  42
 1  0  2      0 1421824 105576 427584   0   0     0     0 25922   666  42
19  40
 1  0  2      0 1421672 105580 427600   0   0    16   107 25456   668  35
25  40


And the snort stats dump from this box after 15 minutes.

Jul 31 10:04:47 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:47 mrnarc snort: Snort analyzed 5676495 out of 2456567 packets,

Jul 31 10:04:47 mrnarc snort: The kernel dropped 2305736(93.860%) packets  
Jul 31 10:04:47 mrnarc snort: Breakdown by protocol:                Action
Stats: 
Jul 31 10:04:47 mrnarc snort:     TCP: 2887373    (117.537%)         ALERTS:
688        
Jul 31 10:04:47 mrnarc snort:     UDP: 802342     (32.661%)         LOGGED:
414        
Jul 31 10:04:47 mrnarc snort:    ICMP: 31047      (1.264%)          PASSED:
9642       
Jul 31 10:04:47 mrnarc snort:     ARP: 1731028    (70.465%) 
Jul 31 10:04:47 mrnarc snort:    IPv6: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:     IPX: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:   OTHER: 224719     (9.148%) 
Jul 31 10:04:47 mrnarc snort: DISCARD: 0          (0.000%) 
Jul 31 10:04:47 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:47 mrnarc snort: Fragmentation Stats: 
Jul 31 10:04:48 mrnarc snort: Fragmented IP Packets: 33         (0.001%) 
Jul 31 10:04:48 mrnarc snort:     Fragment Trackers: 22         
Jul 31 10:04:48 mrnarc snort:    Rebuilt IP Packets: 2          
Jul 31 10:04:48 mrnarc snort:    Frag elements used: 4          
Jul 31 10:04:48 mrnarc snort: Discarded(incomplete): 0          
Jul 31 10:04:48 mrnarc snort:    Discarded(timeout): 16         
Jul 31 10:04:48 mrnarc snort:   Frag2 memory faults: 0          
Jul 31 10:04:48 mrnarc snort:
============================================================================
=== 
Jul 31 10:04:48 mrnarc snort: TCP Stream Reassembly Stats: 
Jul 31 10:04:48 mrnarc snort:         TCP Packets Used: 2783803
(113.321%) 
Jul 31 10:04:48 mrnarc snort:          Stream Trackers: 432582     
Jul 31 10:04:48 mrnarc snort:           Stream flushes: 39931      
Jul 31 10:04:48 mrnarc snort:            Segments used: 81430      
Jul 31 10:04:48 mrnarc snort:    Stream4 Memory Faults: 21         
Jul 31 10:04:48 mrnarc snort:
============================================================================
=== 


I'm trying to get GigE working now.  Hopefully one card will reduce the
interrupt handling.


Virgil


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

kernel dropping packets. Jonathan (Jul 29)
- Re: kernel dropping packets. Roelof JT Jonkman (Jul 29)
- <Possible follow-ups>
- RE: kernel dropping packets. Moyer, Shawn (Jul 29)
- RE: kernel dropping packets. Moyer, Shawn (Jul 30)
- RE: kernel dropping packets. Moyer, Shawn (Jul 31)
  - Re: kernel dropping packets. Chris Keladis (Jul 31)
- RE: kernel dropping packets. Virgil (Jul 31)