[Snort-users] Snort dropping packets?!?!?!?!?!

Matt Kettler mkettler at ...4108...
Wed Jul 17 10:35:06 EDT 2002


Agreed to some extent. Not all cheap nics are poor performers, but quite a 
few are based on the Realtek chipset. From reading the comments in the 
Linux kernel driver source the Realtek's work, but their bus-master design 
necessitates extra memcpy's so they suck for performance.

The Other thing he should look for is make sure he has enough ram and isn't 
using his swap partition much.

At 09:13 AM 7/17/2002 -0700, Gene Gomez wrote:
>You should probably at least replace the NICs with name-brand ones.  Cheap
>NICs usually result in really poor performance on pretty much ANYTHING.  You
>don't usually see the problems on a home network (which is where these cheap
>NICs are actually targetted at selling into), but on a network with any kind
>of performance requirements you quickly see all kinds of strange things
>occur.
>At any rate, my backbone here is 4.5M.  My setup is like so:
>
>P2-233Mhz
>128MB RAM
>2x 3Com 90x NICs
>RHLinux7.2
>Snort 1.8.7
>MySQL 3.23.49
>
>I'm not seeing any problems logging packets.  In fact, I'd say I'm probably
>logging too many.  :)
>
>Gene
>
>-----Original Message-----
>From: snort-users-admin at lists.sourceforge.net
>[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of James
>Ashton
>Sent: Wednesday, July 17, 2002 8:32 AM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Snort dropping packets?!?!?!?!?!
>
>
>Hey everyone,
>  I have a speed issue with snort. I have posted before about it and was
>recomended Barnyard. Here is the setup.
>
>K6-2 400
>2- P-net nics. (super cheap)
>latest snort with customised sig base.
>output to barnyard
>barnyard into MySQL on the same box
>
>The issue is this. When snort isnt running it detects all packets from my
>network. Which is running about 2Mb/s. As soon as snort is brought up st
>starts dropping
>packets. It is now down to picking up only 1/25 of the packets on the
>network.even with no preprocessors running and no signatures turned on. I
>take it there is sime
>problem between snort and the OS (redhat 7.2). Either that or snort and my
>cheap NIC dont get along. I have run this without mysql or barnyard running
>and with no
>preprocessors and signatures it cant be the snort engine   right???? Normaly
>snort is running 8.5% cpu, with everything turned off it is runing 0.3%cpu.
>That is as it
>should be, but it is still dropping packets at the same rate.
>
>any ideas???
>_______________________________
>James Ashton
>13840 Osprey Links Dr, #219
>Orlando Fl, 32837
>
>407-859-5218
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list