Re: Snort stopping - too much traffic?

[Erek Adams <erek () theadamsfamily net>]

On Mon, 28 Oct 2002, Scott Williams wrote:

> I'm running Snort with a 100MB NIC and everything was fine until I started
> sending it more traffic. I'm now sending about 40Mbps to it and it will run
> for an hour or so and then stop. I get the syslog message "kernel: eth1: Too
> much work in interrupt, status e401". I wonder if this is what happens when
> the NIC buffers get too full. Anyone had a similar experience?

1.9.0 doesn't seem to exhibit this, or at least in my setup.  I'd guess
that you are running < 1.8.7.  Another thing that you might want to check
is your card, driver and kernel.  I know that a _LOT_ of folks are using
it on quite a bit more traffic (x 2.5+) with no issues.  That would tend
to point to your hardware and not to snort.

Is this a slow box or a 'generic' nic?  If so, you might want to consider
changing hardware.  If you dig around on Intel's site you can/could find a
'demo unit' offer for a 10/100/1000 card for $39.00 (USD).  Since NIC's
are cheaper than boxes, you might want to check that out.  :)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users