[Snort-users] Linux packet loss statistics?

Phil Wood cpw at ...440...
Thu Apr 5 17:01:29 EDT 2001

Those linux stats are bogus.

I don't know about the version of linux you are running and
more importantly the version of libpcap.  However, I do know
that my linux reports packet loss on a par but not as bad as
the NFR box I'm running which is some kind of stripped down
{free/open}bsd.  Actually, I cannot say that.  NFR does an
awful lot of preprocessing, so on a loaded fddi, it is at around
50-80% packet loss.  (I've actually seen the dropped count equal the
received count, which according to NFR is 100% packet loss and of course
100% CPU).

A good test would be to run the following command on each system:

  # time tcpdump -i xxx -p -w /dev/null -c 100000* -s 1500
  tcpdump: listening on xxx
  100000 packets received by filter
  0 packets dropped by kernel
  0 packets are not read yet
  51667989 bytes received
  0.39user 0.67system 0:21.60elapsed 4%CPU (0avgtext+0avgdata 0maxresident)k
  0inputs+0outputs (143major+110minor)pagefaults 0swaps

Another test that should guarantee packet loss is:

  # time tcpdump  -i fddi0 -p -s 1500 -c 100000** > /tmp/oo
  tcpdump: listening on xxx
  91 packets received by filter
  81986 packets dropped by kernel
  575 packets are not read yet
  42786 bytes received
  0.01user 0.01system 0:14.20elapsed 0%CPU (0avgtext+0avgdata 0maxresident)k
  0inputs+0outputs (208major+233minor)pagefaults 0swaps

* You probably want a larger number.
** On the second test I broke out.

(What happens here is tcpdump goes off and trys to resolve all the ip
addressess and hangs waiting for the braindead ISP's that are too lazy
to provide some kind of name for an address.  DNS, what's that?  Even
if they did resolve the address for you, it take too long, and you lose

Or, something like that.  Make sure you have a valid libpcap, and the
correct linux kernel configuration.

If I do a tcpdump on linux 2.4.2 kernel (non SMP
[cause fddi/SMP/2.4.2 outright dies]), I will see packet loss.
If you read the kernel source, you can see how it is done, and it
seems reasonable.  I just don't trust the distributions out there,
and have my own source for libpcap, modified by Alexey K. (ru).  Also,
I build my own kernel so I know that PACKET_STATISTICS are being created.
(I also configure the kernel with  CONFIG_PACKET_MMAP, and use some
gigantic ring buffers.)

There is not one OS out there that can capture all the packets we
see.  You need to spread the load among multiple systems/cpus and use the
fastest cpu, memory, i/o you can afford on each one.  And then you got
to figure out where you are going to keep all that information, and for
how long, but that's another story. 

On Thu, Apr 05, 2001 at 02:44:20PM -0400, Mike Johnson wrote:
> I haven't used snort on a Linux box in a while (had been
> sticking with OpenBSD).  I remember, way back when, snort
> wouldn't dump packet loss statistics for Linux.  However, 
> on my Red Hat 7 box, running kernel 2.4.3 and libpcap 0.6.2,
> snort is giving me packet loss statistics.
> Okay, that's cool, but are they acurate?  I'm rethinking my
> OpenBSD decision (I haven't outright changed my mind, just
> yet), so I decided I would set up a test.  
> I've got three identical systems.  All are pretty good
> hardware and use the Intel eepro100 card (well, the
> onboard version).  I've got all three plugged into an
> HP ProCurve switch with one port set up as a monitoring
> port.  One of the deciding factors in the whole thing
> has been that OpenBSD has a better reputation when
> it comes to packet capture.  There are other reasons
> that I'm considering Linux, so I wanted to see if
> Linux has made any improvements in the packet capture
> area.
> So, I run HP's netperf between two of the boxes, and then
> sit back and snort on the third.  I limit the test to
> 1000000 packets so I don't fill my disks, because 
> netperf pushes around 92Mbps between the other two
> boxes.
> My snort command line:
> snort -de -i fxp1 -l . -n 1000000
> According to the packet loss statistics, OpenBSD is
> dropping packets.  Anywhere from half a percent to
> sixty (yes, 60) percent.  
> For the moment, I'm not to worried about that.  What
> bothers me is that according to the statistics for
> Linux, it's dropping -no- packets.  That's right,
> zero percent.  Buh?
> So, what's the deal with the packetloss stats for
> Linux?  Are they on the level?
> Thanks,
> Mike
> -- 
> If at first you don't succeed, destroy all evidence that you tried -- unknown
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list