[Snort-devel] Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6

Dheeraj Gupta dheeraj.gupta4 at ...2499...
Mon Dec 14 23:33:20 EST 2015


Hi,

The traffic is captured from a live interface, so it is not exactly same.
However, it is from the same network and same network filter over a
contiguous time range. So, characteristics of the trafic are broadly the
same i.e. most of it is user browsing data. The reason I wrote this e-mail
is because on a weekday, we have an average 100-150 Mbps on the wire and
Snort-2.9.7.6 reported less losses (<10%). However, Snort-2.9.8.0 reported
over 40% drops with comparable traffic load/pattern.

Snort logs do not have any additional entry apart from session pruned due
to timeout/stale (same in both cases).

Regards,
Dheeraj

On Tue, Dec 15, 2015 at 8:43 AM, Nageswara Rao A.V.K (navk) <navk at ...3482....>
wrote:

> Hi Dheeraj,
>
>    We need more info to get in to conclusion.
>
>
>
> Are you passing same traffic in both scenario’s??
>
>
>
> Did you verify snort logs ??
>
> You may know the reason for pkt drops.
>
>
>
> We did not notice this problems in our observation.
>
> More details may help us to analyze the problem.
>
>
>
> Best Regards,
>
> -ANR
>
>
>
> *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 at ...2499...]
> *Sent:* Monday, December 14, 2015 11:30 AM
> *To:* snort-devel at lists.sourceforge.net
> *Subject:* [Snort-devel] Large Packet Drop with SNort-2.9.80 as compared
> to Snort-2.9.7.6
>
>
>
> Hi,
>
> I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the upgrade
> one of my sensors showed (somewhat expected) packet drops. However, after
> the upgrade the packet drop increased significantly even though the number
> of rules decreased (as SO rules are not in use with 2.9.8.0). I am still
> using Snort-2.9.7.6 rulesets (as advised by you).
>
> Here is a snip from my snort.stats file for 2.9.8.0
>
> #time,pkt_drop_percent,wire_mbits_per_sec.realtime
> 1450068900,33.873,124.415
> 1450069200,23.718,121.253
> 1450069500,26.014,120.349
> 1450069800,26.368,120.821
> 1450070100,23.706,116.493
> 1450070400,21.039,121.363
>
> For Snort-2.9.7.6, the snip is
> #time,pkt_drop_percent,wire_mbits_per_sec.realtime
> 1450071180,0.000,79.159
> 1450071480,0.000,118.671
> 1450071780,2.146,132.186
> 1450072080,8.337,130.408
>
>
>
> Looking at end-of-snort stats. This is for 2.9.8.0
>
> Packet I/O Totals:
>    Received:    804563792
>    Analyzed:    388361098 ( 48.270%)
>     Dropped:    298207658 ( 27.042%)
>    Filtered:    415840607 ( 51.685%)
>    Outstanding:       362087 (  0.045%)
>    Injected:            0
>
> And this is for 2.9.7.6
>
> Packet I/O Totals:
>    Received:     60969886
>    Analyzed:     30035104 ( 49.262%)
>     Dropped:       742645 (  1.203%)
>    Filtered:     30927585 ( 50.726%)
>    Outstanding:         7197 (  0.012%)
>    Injected:            0
>
> I have a longish BPF filter, so is the filtered count an indication of the
> amount of traffic which was filtered by that filter?
>
> Also is dropped count a subset of analyzed count or received count? I ask
> this because it appears
>
> received_count = analyzed + filtered
>
> so dropped_count doesn't really fit in
>
>
>
> Regards,
>
> Dheeraj
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20151215/ffa0216a/attachment.html>


More information about the Snort-devel mailing list