[Snort-users] Snort dropping packets?!?!?!?!?!
Roelof JT Jonkman
roel at ...47...
Wed Jul 17 17:32:02 EDT 2002
I recently stumbled accross some really weird behaviour with a machine dropping
packets, once a little load was put on the machine. (Pentium 120's running
a VPN.) What ultimately fixed it was replacing the network cards with
other network cards. (The original cards were 3com 3c590's, and the replacements
were netgear fa311's.)
There is also weirdness with some chipsets that just refuse to do promiscuous
mode correctly. Usually you have to look at the driver code to deduce of
the comments if a chipset actually works worth a dime or not.
The best 10/100 chipset I've used is the DEC/Intel Tulip chipset, it's
old, but works well anything from a 21141 to a 21143 is decent.
This one is based on the 21143. It's made by Danpex, a rather large network
OEM manufacturer, I'm sure you can get em elsewhere, but milestek ships
quick, and they're not overly expensive. ($35/piece)
> K6-2 400
> 2- P-net nics. (super cheap)
> latest snort with customised sig base.
> output to barnyard
> barnyard into MySQL on the same box
> The issue is this. When snort isnt running it detects all packets from my network. Which is running about 2Mb/s. As soon as snort is brought up st starts dropping
> packets. It is now down to picking up only 1/25 of the packets on the network.even with no preprocessors running and no signatures turned on. I take it there is sime
> problem between snort and the OS (redhat 7.2). Either that or snort and my cheap NIC dont get along. I have run this without mysql or barnyard running and with no
> preprocessors and signatures it cant be the snort engine right???? Normaly snort is running 8.5% cpu, with everything turned off it is runing 0.3%cpu. That is as it
> should be, but it is still dropping packets at the same rate.
> any ideas???
> James Ashton
> 13840 Osprey Links Dr, #219
> Orlando Fl, 32837
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users