[Snort-users] Snort dropping packets.

Emilio Mira emial at ...4389...
Sun Jul 14 15:17:03 EDT 2002


I installed last libpcap version (0.7.1) from tcpdump.org after reading in
the list that redhat libpcap was broken. 

Is this problem caused by Snort, libpcap or kernel?. Snort reads packets
from libpcap, so whether Snort says that is processing all packets (0%
drops), must be because libpcap or kernel is dropping packets. So, how 
could I know which one is dropping packets?.

On Sun, 14 Jul 2002, Matt Kettler wrote:

> Ok, I'll take a stab at a response.
> 
> Don't use the libpcap that is supplied by RedHat if you want numbers you 
> can trust. From what I've read, they decided to change the libpcap 
> interfaces a bit and broke some things along the way in the process of 
> creating a "turbo" mode or something of the like. I recall a lot of 
> grumbling on the list about this, and I think snort includes fixes for the 
> redhat changes, but I wouldn't trust them to work 100% since a large number 
> of people have observed the same problems as you and reported them to the 
> snort list.
> 
> Try the official release of libpcap from tcpdump.org and see if you still 
> have problems. (note that 0.6.2 is the latest versioned release)
> 
> 
> At 04:25 PM 7/14/2002 +0200, Emilio Mira wrote:
> 
> >I sent this mail few days ago, but I hadn't received any reply. It's about
> >packets dropped by Snort.
> >
> >Anyone could give me a response?.
> >
> >Thank you.
> >
> >---------- Forwarded message ----------
> >Date: Thu, 11 Jul 2002 12:10:20 +0200 (CEST)
> >From: Emilio Mira <emial at ...4389...>
> >To: snort-users at lists.sourceforge.net
> >Subject: Snort dropping packets.
> >
> >
> >Hi all,
> >
> >I'm meassuring Snort dropped packets with 'kill -USR1 <pid>' and
> >apparently Snort is working without drops. But if I get received packets
> >by the interface from /proc/net/dev and processed packets from Snort with
> >'kill -USR1 <pid>', there are diferences (see JPG attached).
> >
> >Why doesn't USR1 shows me real dropped packets?.
> >
> >I'm using Snort 1.8.7 with default configuration and libpcap 0.7.1 on
> >RH7.2. and an ATM interface.
> >
> >Thanks.
> >
> >--
> >Emilio Mira
> 







More information about the Snort-users mailing list