[Snort-users] Snort hardware issues

Erek Adams erek at ...577...
Wed Jun 13 16:26:17 EDT 2001

On Wed, 13 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:

> I have a couple of technical hardware questions related to Snort that I was
> hoping someone could answer?


> 1. I am running a Snort server on a Compaq DL360 running Red Hat Linux 7.0.
> The DL360 has 2 CPU's which don't seem to be getting utilized by Snort. Does
> Snort support using 2 CPU's? When I use the TOP command, it shows one CPU as
> pegged at 99.8% utilitzation, then the 99.8% jumps over to the 2nd CPU and
> the first CPU becomes idle. The utilization pegs on both CPUs back and
> forth. Is this normal? Can this be throttled somehow so I can get in and
> manage the box easier without it being so sluggish?

Since I'm not really Linux savvy, check and see if it supports something like
binding a process to a processor.  Solaris has the pbind command that does
this.  From what my Linux geek friends have said Linux claims to do SMP, but
not very well.


Maintenance Commands                                    pbind(1M)

     pbind - control and query bindings of processes  to  proces-


Of course you could ditch that Linux distro and put Solaris x86 on there...

> 2. Also I have 2 NICs in the box, one is used for gathering the data (it is
> on a spanned port on a switch) and the other NIC I use for management. Every
> time I try and log in, the server does NOT respond. If I do a traceroute on
> both interfaces they don't respond for maybe 10 or 20 traces, then they pop
> up. Then I QUICKLY open an ssh session and I'm in from there. If I do an
> IFCONFIG, the 2nd NIC I plan to use for management shows NO activity, though
> it is active and I can log in through it. Something definitely wrong here. I
> wonder if the pegged CPU utilitization has something to do with the lack of
> response? I can't think of a reason why the 2nd NIC would have no activity
> though.

It almost sounds like you are having some sort of hardware error with one of
the cards.  Try checking all the logs for errors.  If you're bored, yank out
one nic and see how the machine behaves.

Sorry I can't be of more help.

Erek Adams

More information about the Snort-users mailing list