[Snort-users] kernel dropping packets.
Roelof JT Jonkman
roel at ...47...
Mon Jul 29 17:20:02 EDT 2002
If you send the snort pid a 'sigusr1' it will dump it's packet capture statistics
to stderr/syslog, depending on how you're running. (syslog in your case)
'snort -v' is horribly inefficient, because it has to output every packet to
stdout, which cause snort to slow down considerably. So that is not really
the way to measure how efficient snort goes about it's job.
> Snort runs on OpenBSD 3.1. It sits on a gigabit interface connected to
> our gateway. I'm wondering if anyone has had a similar problem with
> dropped packets. I'm assuming that missing 73% of packets is very bad and
> nearly defeats the purpose of running snort. The hardware is all
> new..2ghz athlon and 1GB of memory. This is how I run snort.
> /usr/local/bin/snort -d -i ti0 -l /usr/local/snort/logs -c
> /usr/local/snort/rules/snort.conf -D
> but when I run just this (snort -v) I loose the packets. Is there any
> way to check this information while snort is running via the top command I
> use? Are dropped packets normal with snort just running in sniffer mode?
> I ask because we had a break in a week ago and there were only portscans
> that showed up in the logs but the system had definitly been compromised.
> Thank you,
> ~Jonathan Rakocy
> Computer Systems Lab
> snort -v
> Snort analyzed 492 out of 3465 packets, The kernel dropped
> 2532(73.074%) packets
> Breakdown by protocol: Action Stats:
> TCP: 492 (14.199%) ALERTS: 0
> UDP: 0 (0.000%) LOGGED: 0
> ICMP: 0 (0.000%) PASSED: 0
> ARP: 0 (0.000%)
> IPv6: 0 (0.000%)
> IPX: 0 (0.000%)
> OTHER: 0 (0.000%)
> DISCARD: 0 (0.000%)
> Fragmentation Stats:
> Fragmented IP Packets: 0 (0.000%)
> TCP Stream Reassembly Stats:
> TCP Packets Used: 0 (0.000%)
> Snort received signal 2, exiting
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users