[Snort-users] Linux packet loss statistics?

Mike Johnson mike at ...874...
Thu Apr 5 14:44:20 EDT 2001


I haven't used snort on a Linux box in a while (had been
sticking with OpenBSD).  I remember, way back when, snort
wouldn't dump packet loss statistics for Linux.  However, 
on my Red Hat 7 box, running kernel 2.4.3 and libpcap 0.6.2,
snort is giving me packet loss statistics.

Okay, that's cool, but are they acurate?  I'm rethinking my
OpenBSD decision (I haven't outright changed my mind, just
yet), so I decided I would set up a test.  

I've got three identical systems.  All are pretty good
hardware and use the Intel eepro100 card (well, the
onboard version).  I've got all three plugged into an
HP ProCurve switch with one port set up as a monitoring
port.  One of the deciding factors in the whole thing
has been that OpenBSD has a better reputation when
it comes to packet capture.  There are other reasons
that I'm considering Linux, so I wanted to see if
Linux has made any improvements in the packet capture
area.

So, I run HP's netperf between two of the boxes, and then
sit back and snort on the third.  I limit the test to
1000000 packets so I don't fill my disks, because 
netperf pushes around 92Mbps between the other two
boxes.

My snort command line:
snort -de -i fxp1 -l . -n 1000000

According to the packet loss statistics, OpenBSD is
dropping packets.  Anywhere from half a percent to
sixty (yes, 60) percent.  

For the moment, I'm not to worried about that.  What
bothers me is that according to the statistics for
Linux, it's dropping -no- packets.  That's right,
zero percent.  Buh?

So, what's the deal with the packetloss stats for
Linux?  Are they on the level?

Thanks,
Mike
-- 
If at first you don't succeed, destroy all evidence that you tried -- unknown




More information about the Snort-users mailing list