[Snort-users] A Query about dropped packets

Ashley Thomas athomas at ...3539...
Mon Sep 24 18:24:03 EDT 2001


I am running snort as:

./snort -d -h 10.0.0.0/24 -c snort.conf

How do i make sure that name lookup is turned off ? (There was no mention of
this in the help / manual)

thanks
Ashley

Phil Wood wrote:

> On Thu, Sep 20, 2001 at 10:50:28PM -0400, Ashley Thomas wrote:
> > Hi all,
> >
> > I am running Snort on openBSD 2.9.
> > I keep getting packets and when i terminate it gives some statistics
> > which include
> >
> > "Snort analyzed 1716 out of 2979 packets, dropping 1263(42.397%)
> > packets"
> I bet you have turned on name lookup?  You should never see dropped packets
> like that with only 2979 packets.
> >
> > Does this mean snort is dropping packets or does it mean that Snort
> > analysed only 1716 ?
>
> It means that snort only saw 1716 of the 2979 packets that drifted by
> your sensor.  The kernel droped 1263, presumably because snort never
> got back in time to lift them into user space.
> > In the latter case what is the filter used to filter 1716 out of 2979
> > packets and drop the rest ?
> >
> > Is this because there is something wrong in the configuration ?
> >
> > Any pointers is welcome.
> >
> > thanks a lot
> > Ashley
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> --
> Phil Wood, cpw at ...440...





More information about the Snort-users mailing list