Snort mailing list archives
RE: Snort as Gigabit Sensor
From: Banniza Robert <Robert.Banniza () HCAhealthcare com>
Date: Thu, 24 Jul 2003 15:32:40 -0500
I'm basing this on kill -10 <snort pid> results: Jul 24 15:31:54 aurora2 snort: ============================================================================ === Jul 24 15:31:54 aurora2 snort: Snort analyzed 152175492 out of 249157642 packets, Jul 24 15:31:54 aurora2 snort: dropping 96982150(38.924%) packets Jul 24 15:31:54 aurora2 snort: Breakdown by protocol: Action Stats: Jul 24 15:31:54 aurora2 snort: TCP: 53948857 (21.653%) ALERTS: 10514 Jul 24 15:31:54 aurora2 snort: UDP: 889734 (0.357%) LOGGED: 10749 Jul 24 15:31:54 aurora2 snort: ICMP: 229141 (0.092%) PASSED: 82898 Jul 24 15:31:54 aurora2 snort: ARP: 37066 (0.015%) Jul 24 15:31:54 aurora2 snort: EAPOL: 0 (0.000%) Jul 24 15:31:54 aurora2 snort: IPv6: 0 (0.000%) Jul 24 15:31:54 aurora2 snort: IPX: 132 (0.000%) Jul 24 15:31:54 aurora2 snort: OTHER: 65709 (0.026%) Jul 24 15:31:54 aurora2 snort: DISCARD: 0 (0.000%) Jul 24 15:31:54 aurora2 snort: ============================================================================ === Jul 24 15:31:54 aurora2 snort: Wireless Stats: Jul 24 15:31:54 aurora2 snort: Breakdown by type: Jul 24 15:31:54 aurora2 snort: Management Packets: 0 (0.000%) Jul 24 15:31:54 aurora2 snort: Control Packets: 0 (0.000%) Jul 24 15:31:54 aurora2 snort: Data Packets: 0 (0.000%) Jul 24 15:31:54 aurora2 snort: ============================================================================ === Jul 24 15:31:54 aurora2 snort: Fragmentation Stats: Jul 24 15:31:54 aurora2 snort: Fragmented IP Packets: 34312 (0.014%) Jul 24 15:31:54 aurora2 snort: Fragment Trackers: 13449 Jul 24 15:31:54 aurora2 snort: Rebuilt IP Packets: 11683 Jul 24 15:31:54 aurora2 snort: Frag elements used: 23663 Jul 24 15:31:54 aurora2 snort: Discarded(incomplete): 0 Jul 24 15:31:54 aurora2 snort: Discarded(timeout): 13041 Jul 24 15:31:54 aurora2 snort: Frag2 memory faults: 0 Jul 24 15:31:54 aurora2 snort: ============================================================================ === Jul 24 15:31:54 aurora2 snort: TCP Stream Reassembly Stats: Jul 24 15:31:54 aurora2 snort: TCP Packets Used: 53948670 (21.652%) Jul 24 15:31:54 aurora2 snort: Stream Trackers: 660310 Jul 24 15:31:54 aurora2 snort: Stream flushes: 250914 Jul 24 15:31:54 aurora2 snort: Segments used: 732724 Jul 24 15:31:54 aurora2 snort: Stream4 Memory Faults: 0 Jul 24 15:31:54 aurora2 snort: ============================================================================ === -----Original Message----- From: Marc Quibell [mailto:mquibell () fbfs com] Sent: Thursday, July 24, 2003 3:21 PM To: snort-users () lists sourceforge net Cc: Robert.Banniza () HCAhealthcare com Subject: Re: [Snort-users] Snort as Gigabit Sensor Hey Robert, How do you know not you're ALWAYS getting 40% packet loss? Maybe you have a bad cable/port? Cheers! Q --From: Banniza Robert <Robert.Banniza () HCAhealthcare com> --To: "'snort-users () lists sourceforge net'" -- <snort-users () lists sourceforge net> --Date: Thu, 24 Jul 2003 13:43:39 -0500 --Subject: [Snort-users] Snort as Gigabit Sensor --Anyone have any good pointers on tuning Linux (Redhat 9) as a gigabit --sensor? Currently, we are using a Broadcom Corporation NetXtreme BCM5703 --Gigabit Ethernet (TG3 kernel module) Netgear card as the sniffing card. We --have set up a span port so that we can see all traffic on a Cisco 6509. The --sad thing is we are encountering 40% packet loss. The network interfaces --were statically compiled into the kernel and /etc/sysctl.conf was modified --with the following to provide larger buffers: <snip> --Thanks --Robert ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort as Gigabit Sensor, (continued)
- Re: Snort as Gigabit Sensor Bennett Todd (Jul 24)
- Re: Snort as Gigabit Sensor Jeff (Jul 24)
- Re: Snort as Gigabit Sensor Jason Haar (Jul 24)
- Re: Snort as Gigabit Sensor Jeff (Jul 26)
- DCOM exploit snort signature jason (Jul 27)
- Re: Snort as Gigabit Sensor Jason Haar (Jul 24)
- Snort in Linux kernel mode Paul B. Poh (Aug 05)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor twig les (Jul 24)
- Re: Snort as Gigabit Sensor Irwan Hadi (Jul 27)
- Re: Snort as Gigabit Sensor Marc Quibell (Jul 24)
- RE: Snort as Gigabit Sensor Banniza Robert (Jul 24)
- RE: Snort as Gigabit Sensor Hutchinson, Andrew (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 25)
- RE: Snort as Gigabit Sensor Kreimendahl, Chad J (Jul 29)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Frank Knobbe (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)
- Re: Snort as Gigabit Sensor Chris Green (Jul 31)