Snort-2.9.0.5 and Jumbo Frames

["Chinmay Mahata" <chinmay_mahata () rediffmail com>]

Hi,
   I am new to this list and this is my first post in this mailing list. Hope I am asking to the right group.

I am running snort-2.9.0.5 with daq-0.5 on a fedora 13 (configured as bridge with ports eth0 as LAN and eth1 as WAN) 
box in inline mode with daq and other options given below. And multiple instances of Snort.

./snort -D -q -Q -c /tmp/etc/snort.conf --daq nfq --daq-var queue=3 --daq-var queue_len=1024 --daq-var device=br0 

In snort.conf we put the following lines.
   config snaplen: 65536
   preprocessor dcerpc2: memcap 102400, events [co ], max_frag_len 65535

Also set the MTU on br0, eth0 and eth1 as 9000


While running tcpdump in both eth0 and eth1, we observed that.
1. Jumbo packets (length > 1518) are coming to Snort on eth1 (WAN).
2. But on the LAN side we could not find any such Jumbo packets. Seems packets are getting dropped by Snort.
3. Also throughput is very very slow. Sometimes web pages are not opening at all.


But if we do not run Snort or by-pass packets then there is no such problem we are facing.


Could anybody please help me to figure out and fix the problem.


Thanks in advance.

Best regards,
--Chinmay



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!