Re: snort under high density traffic

[Mehmet Ersan TOPALOGLU <mersan () ceng metu edu tr>]

Edin Dizdarevic wrote:
> Hi,
>
> Mehmet Ersan TOPALOGLU wrote:
>
> > Edin Dizdarevic wrote:
> >
> >
> > > Hi,
> > >
> > > Mehmet Ersan TOPALOGLU wrote:
>
> [...]
>
> > i tried cross cable and results didn't change much.
> > with -r 1(that is 1 mbit/sec) option of tcpreplay statistics almost
> > equal tcpreplay reports 1663986 packets sent
> > "snort analysed 1663986 out of 1676198 packets dropping ..."
> >
> > but with -r 30(30Mbit/sec) option statistics almost double :(
> > again same dump tcpreplay repots same but
> > "snort analysed 1663986 out of 3265264 packets dropping ..."
>
>
> would you please deactivate all rules and all preprocessors in order to
> get Snort loosing no packets. Are you still using Snort 1.9? I've never
> seen Snort loosing packets at 1Mbit even with all rules active.
> Deactivate all logging plugins too and see if you can get Snort so far
> loosing no packets at all.
Above results were with snort 2.0.1
Actually with snort v1.9 and libpcap v0.7
snort weren't dropping any packets and i was getting correct
statistics with 1Mbit/sec.

> Regards
>
> Edin


--
- mersan
    mersan () ceng metu edu tr
    mersan () metu edu tr

        Budi srecna. Meni je to dovoljno.



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users