Snort mailing list archives
RE: Dropping packets why?
From: "O'Flynn, Derek" <DOFlyn () lsuhsc edu>
Date: Mon, 27 Oct 2003 14:01:01 -0600
I have a 15mb pipe to the Internet, this is reports from tcpdump. Dual p133 256mb I drop 50% packets. Quad ppro200 1gb I drop about 20%. Both were running FreeBSD 5.1 with custom SMP kernels and 3com905. Derek -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Monday, October 27, 2003 12:25 PM To: Elijah Savage; snort-users () lists sourceforge net Subject: Re: [Snort-users] Dropping packets why? At 04:15 PM 10/25/2003, Elijah Savage wrote:
I have snort setup on my openbsd firewall with 3 interfaces 2 intel interface 1 3com interface All are pci on 100mbit switches K62 300 128 meg of mem I figured this machine should be strong enough to simply handle a cable connection but I am dropping packets Snort analyzed 19376 out of 20072 packets, dropping 696(3.468%) packets I am running barnyard logging to a mysql database and using acid but all that is setup on a totally different machine. Any ideas where I can start looking to try and correct this, basically running with the default config except for changing the home_net. I want to see if I can figure this out then I will start tunning.
You're most likely dropping packets because your system is vastly underpowered in the CPU department... a K6-2 is a classic Pentium type architecture, with L2 cache residing on the front-side bus. With a peak L2 cache speed of 100mhz (and some are only 66) it has almost 0 chance of keeping up with any kind of high-speed burst of data like you'll get on a 100mbit line. You can probably save a whole lot of CPU time and get your packet drop rate down quite a bit by disabling the spp_conversation and spp_portscan2 preprocessors, but you'll loose the functionality of the portscan preprocessor.... If you're going to try to monitor sustained 100mbit/sec traffic, and want all the preprocessors on, consider a 1ghz p3 or Athlon as an absolute minimum system configuration. ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dropping packets why? Elijah Savage (Oct 25)
- Message not available
- Re: Dropping packets why? Matt Kettler (Oct 27)
- Message not available
- Re: Dropping packets why? Edin Dizdarevic (Oct 27)
- <Possible follow-ups>
- RE: Dropping packets why? O'Flynn, Derek (Oct 27)
- Re: Dropping packets why? Michael Sierchio (Oct 27)
- copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
- RE: copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
- Re: copious (snort_decoder) WARNING: Not IPv4 datagram! Geoff (Oct 27)
- Re: Dropping packets why? Michael Sierchio (Oct 27)
- Message not available
- RE: Dropping packets why? Matt Kettler (Oct 27)