Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Testing problem, slow

From: "Bryan Taylor" <bcptaylor () comcast net>
Date: Mon, 24 Nov 2003 07:13:13 -0500
I am attempting to conduct basic tests on Snort 2.0.1 (Build 88) running on
an RLX server blade with dual 2.8 Xeons and 2G RAM and on a Dell 2650, same
setup -- plenty of hardware IMHO to run on a Gig network.  The OS is RedHat
9 with kernel 2.4.20.  The test consists of throwing artifical traffic to a
number of ports on a Cisco switch simultaneously (this is not the issue).  I
began trying for 40Mbps, and I always get approximately 40% dropped packets.
Not believing this, I read about RedHat's libpcap error, and replaced it.  I
compiled libpcap-current from today from tcpdump.org, dated 22-nov-2003.  I
compiled snort, being sure to link with the only libpcap on the system (the
one I just compiled).  I run snort with the default ruleset in a script as
such:
snort -c /etc/snort/snort.conf -i eth0 -b -Afast -l /var/log/snort/eth0 -I >
/var/log/snort/eth0/out 2> /var/log/snort/eth0/err &
sleep 2m
kill `pidof snort`

I have dropped the speed of the traffic to as low as 4Mbps, and I get about
the same 40% drop rate.  On the 2650, I ran ethereal in place of snort, and
ethereal reports very different numbers of packets total and dropped.  Both
snort and ethereal report unrealistic numbers, such as (ethereal) ~819,000
packet count, ~4100000 dropped.  The speed of the traffic coming in from the
source is exactly 10,416 packets per second, 64 bytes per packet.  In 2
minutes, there ought to be ~1.2 million packets...not far off from the
reported.  The speed ought to be ~5Mbps, also close to the reported.

So what am I missing?  Why is it a) so inaccurate in reporting dropped
packets or b) so slow?  Any input would be greatly appreciated.

Taylor
bcptaylor () comcast net



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: