Re: pfring and traffic splitting

[beenph <beenph () gmail com>]

On Tue, Nov 6, 2012 at 12:59 PM, Joel Esler <jesler () sourcefire com> wrote:
> On Nov 6, 2012, at 10:42 AM, Greg Williams <gwillia5 () uccs edu> wrote:
>
> Thanks Peter, I tried it, and I'll leave it running for a while.  Looks like
> it's still dropping about 43% of packets with only 83Mbps right now.  I'm
> guessing it has something to do with packet reassembly in Stream5.  If I
> turn off tcp reassembly, I don't lose any packets, but then I also don't get
> any alerts.
>
> According to the performance stats:
>
> Num            Preprocessor                  Layer       Checks        Exits
> Microsecs      Avg/Check   Pct of Caller           Pct of Total
> ===            ============              =====     ======      =====
> =========  ========= ============= ============
> 1                   s5TcpProcessRebuilt     4                29922
> 29922             22845088     763.49            4101.47
> 36.70
>
>
> You should never turn off stream5.
>
> It's more than just a preprocessor, it's the life blood.

Just a guess in there but i guess that the stream5 memcap could be a
reason why your dropping stuff,
try to raise the bar.

-elz

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!