Re: pfring and traffic splitting

[Joel Esler <jesler () sourcefire com>]

On Nov 6, 2012, at 10:42 AM, Greg Williams <gwillia5 () uccs edu> wrote:

> Thanks Peter, I tried it, and I'll leave it running for a while.  Looks like it's still dropping about 43% of packets 
> with only 83Mbps right now.  I'm guessing it has something to do with packet reassembly in Stream5.  If I turn off 
> tcp reassembly, I don't lose any packets, but then I also don't get any alerts.  
>
> According to the performance stats:  
>
> Num            Preprocessor                  Layer       Checks        Exits               Microsecs      Avg/Check   
> Pct of Caller           Pct of Total
> ===            ============              =====     ======      =====           =========  ========= ============= 
> ============
> 1                   s5TcpProcessRebuilt     4                29922             29922             22845088     763.49  
>           4101.47                    36.70

You should never turn off stream5.

It's more than just a preprocessor, it's the life blood.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!