Re: dropping packets

[hchlai () netscape net (Hugo)]

Glad to have you here Marty. I'm running RHWS 3 on the sensors and I'm pretty sure my hardware should deliver the 
performance I expected - 3.2GHz Xeon with 1Gig RAM. I have tuned stream4 preprocessor to 128MB and frag2 to use 64MB, 
although I have not seen any memory faults yet. I would try to take Barry's advise and upgrade my libpcap to 3.8.3 (I'm 
currently on 3.7.2) and hope to get a performance boost. Any further advise or suggestions are appreciated!

ps. I'm still at the implementation stage and that's why I'm running the verbose mode. I'll take it out once it go to 
production.

Hugo


Martin Roesch <roesch () sourcefire com> wrote:

> Hi Hugo,
>
> Try getting rid of the -v option when you're running Snort, that may be 
> draining some performance and since you're in daemon mode.  What's the 
> platform/specs of the box you're running Snort on?
>
>       -Marty
>
> On Jan 26, 2005, at 12:32 PM, Hugo wrote:
>
> > I have realized that Snort has been dropping packets even I'm running 
> > it inconjuction with Barnyard. Does anybody know what causes Snort to 
> > drop packets? I'm running Barnyard with these options:
> >
> > barnyard -c -d -g -f -s -n -w -a
> >
> > and Snort with the following:
> >
> > snort -c -i -g -Dv
> >
> > I'm recording about 1%-2% of packets being dropped by Snort... 
> > sometimes as high as 6%. Many thanks!
> >
> > Hugo
> >
> >
> > __________________________________________________________________
> > Switch to Netscape Internet Service.
> > As low as $9.95 a month -- Sign up today at 
> > http://isp.netscape.com/register
> >
> > Netscape. Just the Net You Need.
> >
> > New! Netscape Toolbar for Internet Explorer
> > Search from anywhere on the Web and block those annoying pop-ups.
> > Download now at http://channels.netscape.com/ns/search/install.jsp
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> > Tool for open source databases. Create drag-&-drop reports. Save time
> > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> > Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover.  Determine.  Defend.
> roesch () sourcefire com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users