[Snort-users] Snort dropping packets.

Phil Wood cpw at ...440...
Sun Jul 14 15:40:02 EDT 2002


On Mon, Jul 15, 2002 at 12:16:17AM +0200, Emilio Mira wrote:
> 
> I installed last libpcap version (0.7.1) from tcpdump.org after reading in
> the list that redhat libpcap was broken. 

Are you sure that when snort compiles and loads it is using both:

  -l<path_to_libpcap-0.7.1>

when compiling all the snort objects,

and

  -L<path_to_libpcap-0.7.1>

when loading the objects to create the snort executable?

I've had the problem before when I thought ./configure had built a 
Makefile properly, it was actually getting the linux release version
rather than the libpcap I had compiled from tcpdump.org.

> 
> Is this problem caused by Snort, libpcap or kernel?. Snort reads packets
> from libpcap, so whether Snort says that is processing all packets (0%
> drops), must be because libpcap or kernel is dropping packets. So, how 
> could I know which one is dropping packets?.

Have you looked at /proc/net/dev and found any errors.  In my case the
device never has a problem.  Lost packets are a result of the application
not reading (vi libpcap) what the kernel has to offer in a timely manner.  On a 
loaded link, you can expect packet loss because of the multitude of rules
which require extensive pattern matching.  On weekends, I don't have
a problem.  During the week there is enough traffic to around 0.5 percent
packetloss (for the 24 hour period).  If you see errors in /proc/net/dev, they
will not be reflected in the data you get when snort calls pcap_stats.
And, you should consider upgrading the hardware device to eliminate the
problem.

> 
> On Sun, 14 Jul 2002, Matt Kettler wrote:
> 
> > Ok, I'll take a stab at a response.
> > 
> > Don't use the libpcap that is supplied by RedHat if you want numbers you 
> > can trust. From what I've read, they decided to change the libpcap 
> > interfaces a bit and broke some things along the way in the process of 
> > creating a "turbo" mode or something of the like. I recall a lot of 
> > grumbling on the list about this, and I think snort includes fixes for the 
> > redhat changes, but I wouldn't trust them to work 100% since a large number 
> > of people have observed the same problems as you and reported them to the 
> > snort list.
> > 
> > Try the official release of libpcap from tcpdump.org and see if you still 
> > have problems. (note that 0.6.2 is the latest versioned release)
> > 
> > 
> > At 04:25 PM 7/14/2002 +0200, Emilio Mira wrote:
> > 
> > >I sent this mail few days ago, but I hadn't received any reply. It's about
> > >packets dropped by Snort.
> > >
> > >Anyone could give me a response?.
> > >
> > >Thank you.
> > >
> > >---------- Forwarded message ----------
> > >Date: Thu, 11 Jul 2002 12:10:20 +0200 (CEST)
> > >From: Emilio Mira <emial at ...4389...>
> > >To: snort-users at lists.sourceforge.net
> > >Subject: Snort dropping packets.
> > >
> > >
> > >Hi all,
> > >
> > >I'm meassuring Snort dropped packets with 'kill -USR1 <pid>' and
> > >apparently Snort is working without drops. But if I get received packets
> > >by the interface from /proc/net/dev and processed packets from Snort with
> > >'kill -USR1 <pid>', there are diferences (see JPG attached).
> > >
> > >Why doesn't USR1 shows me real dropped packets?.
> > >
> > >I'm using Snort 1.8.7 with default configuration and libpcap 0.7.1 on
> > >RH7.2. and an ATM interface.
> > >
> > >Thanks.
> > >
> > >--
> > >Emilio Mira
> > 
> 
> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list