[Snort-users] flexresp and kernel dropping packets.

Erek Adams erek at ...577...
Mon Aug 12 11:25:07 EDT 2002

On Mon, 12 Aug 2002, Brian F. Vaughan wrote:

> 	I am currently running snort-1.8.7 on Linux 6.2 (Kernel 2.4.18). I
> configured snort with ./configure --enable-flexresp and everything compiled
> ok. I reviewed my rules and everything is ok with the rules. However when I
> start snort with snort -d -v, I notice that the kernel is dropping packets.
> Is this normal and has anyone seen this? Does it look like I'll have to
> recompile my kernel.

A few possible solutions about this:

	*  Update your kernel as you said.
	*  Stop using -d -v as options.  Snort has to write to STDOUT when you
do that, and writing to the screen takes a bit of time away from doing
anything else.  Use -b and post process the logs if your want to view them
	*  Consider a changing your NIC.  Intel Pro's seem to have some of the
least amount of packet drops (according to the list).
	*  Update libpcap to the most recent version from tcpdump.org.
	*  Check the snort-developers archives for some recent threads on
linux and libpcap.  (Search for Phil Wood, he's da man!)
	*  Rebuild the box as a *BSD.

Ok, ok, I was _just kidding_ with the last statement. ;-)

Hope that helps!

Erek Adams

