[Snort-users] TCP Reassembly

Christopher E. Cramer chris.cramer at ...799...
Thu Mar 15 13:38:24 EST 2001


If I understand you correctly, you are asking if you can optimize the
solaris box.  The first thing to check is to see if it is an issue of
dropping packets.  Under solaris, snort will print out packet loss
statistics when it is gracefully killed.  If you are dropping packets then
we could start talking about optimization.  If you aren't dropping
packets, then it could be some screwy tcp window issue that you can't do
much about.

If we're talking optimization, then part of the optimization is how you
are logging which depends on the flags you set when starting snort.  If
you could tell us how you run snort, that might help.

-c



On Thu, 15 Mar 2001, Siddhartha Jain wrote:

> I am running this on a Sparc/Solaris 2.6 box. Are there any tcp/ip
> parameters i can tune to solve this?
> 
> Siddhartha
> 
> ----- Original Message -----
> From: "Christopher E. Cramer" <chris.cramer at ...799...>
> To: "Siddhartha Jain" <s_i_d_j at ...131...>
> Cc: <snort-users at lists.sourceforge.net>
> Sent: Thursday, March 15, 2001 11:19 PM
> Subject: Re: [Snort-users] TCP Reassembly
> 
> 
> >
> > It means that the TCP Reassembler may be a bit confused, probably due to
> > packet loss.  The reassembler allocates space in which to perform
> > tcp reassembly.  The size of this buffer is based on the known window size
> > and how much data you want to keep around at any one time.  The
> > reassembler creates packets from this buffer when it sees an ACK of the
> > data.  If you are experiencing packet loss, you might not see the ACK and
> > the data may be left in for too long.  It is also possible that the server
> > has changed its tcp window size causing the screw up.
> >
> > The quick and dirty solution is to ignore it.  The better solution is to
> > upgrade to the version in the CVS which handles memory differently.
> >
> > -Chris
> >
> > On Thu, 15 Mar 2001, Siddhartha Jain wrote:
> >
> > > Hi,
> > >
> > > I get the following logs in /var/adm/messages :-
> > >
> > > Mar 15 10:27:15 e220r snort: [!] WARNING: TCP stream reassembler, Server
> > > Bytes in Buffer > Buffer Size (29938 > 25144)
> > >
> > > What does this mean?
> > >
> > > Siddhartha
> > >
> > >
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 






More information about the Snort-users mailing list