Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Testing problem

From: bcptaylor () comcast net
Date: Sat, 22 Nov 2003 20:57:56 +0000
I am attempting to conduct basic tests on Snort 2.0.1 (Build 88) running on an RLX server blade with dual 2.8 Xeons and 
2G RAM and on a Dell 2650, same setup -- plenty of hardware IMHO to run on a Gig network.  The OS is RedHat 9 with 
kernel 2.4.20.  The test consists of throwing artifical traffic to a number of ports on a Cisco switch simultaneously 
(this is not the issue).  I began trying for 40Mbps, and I always get approximately 40% dropped packets.  Not believing 
this, I read about RedHat's libpcap error, and replaced it.  I compiled libpcap-current from today from tcpdump.org, 
dated 22-nov-2003.  I compiled snort, being sure to link with the only libpcap on the system (the one I just compiled). 
 I run snort with the default ruleset in a script as such:
snort -c /etc/snort/snort.conf -i eth0 -b -Afast -l /var/log/snort/eth0 -I > /var/log/snort/eth0/out 2> 
/var/log/snort/eth0/err &
sleep 2m
kill `pidof snort`

I have dropped the speed of the traffic to as low as 4Mbps, and I get about the same 40% drop rate.  On the 2650, I ran 
ethereal in place of snort, and ethereal reports very different numbers of packets total and dropped.  Both snort and 
ethereal report unrealistic numbers, such as (ethereal) ~819,000 packet count, ~4100000 dropped.  The speed of the 
traffic coming in from the source is exactly 10,416 packets per second, 64 bytes per packet.  In 2 minutes, there ought 
to be ~1.2 million packets...not far off from the reported.  The speed ought to be ~5Mbps, also close to the reported.

So what am I missing?  Why is it a) so inaccurate in reporting dropped packets or b) so slow?  Any input would be 
greatly appreciated.  

Taylor
bcptaylor () comcast net


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: