[Snort-users] flexresp and kernel dropping packets.
erek at ...577...
Mon Aug 12 11:25:07 EDT 2002
On Mon, 12 Aug 2002, Brian F. Vaughan wrote:
> I am currently running snort-1.8.7 on Linux 6.2 (Kernel 2.4.18). I
> configured snort with ./configure --enable-flexresp and everything compiled
> ok. I reviewed my rules and everything is ok with the rules. However when I
> start snort with snort -d -v, I notice that the kernel is dropping packets.
> Is this normal and has anyone seen this? Does it look like I'll have to
> recompile my kernel.
A few possible solutions about this:
* Update your kernel as you said.
* Stop using -d -v as options. Snort has to write to STDOUT when you
do that, and writing to the screen takes a bit of time away from doing
anything else. Use -b and post process the logs if your want to view them
* Consider a changing your NIC. Intel Pro's seem to have some of the
least amount of packet drops (according to the list).
* Update libpcap to the most recent version from tcpdump.org.
* Check the snort-developers archives for some recent threads on
linux and libpcap. (Search for Phil Wood, he's da man!)
* Rebuild the box as a *BSD.
Ok, ok, I was _just kidding_ with the last statement. ;-)
Hope that helps!
More information about the Snort-users