[Snort-users] kernel dropping packets.

Moyer, Shawn SMoyer at ...5894...
Tue Jul 30 07:13:12 EDT 2002


wtf? 657.242% ? How can you drop more than 100% ? I wonder if this is
something funky w/ your e-net driver or pcap libs? Or maybe even the packet
loss counter itself? This may be something to post over on snort-dev.

You also generated over 1K alerts, which makes the case for tuning your
ruleset a bit more. That's a lot of data to wade through, and I'll lay odds
a lot of those are falses or stuff you're not interested in.

Where is the box's placement in relation to the rest of your network? Span
port on a core switch? Is there any possibility of breaking it out by VLAN
tags or segments, maybe hanging a couple of additional nics off the box?




--shawn



-----Original Message-----
From: Virgil [mailto:virgil at ...6481...]
Sent: Tuesday, 30 July, 2002 01:38 AM
To: 'Moyer, Shawn'
Subject: RE: [Snort-users] kernel dropping packets. 


So this is bad then:

Jul 30 16:36:34 beastie snort:
============================================================================
=== 
Jul 30 16:36:34 beastie snort: Snort analyzed 1939463424 out of 422643012
packets, 
Jul 30 16:36:34 beastie snort: The kernel dropped -1517180408(657.242%)
packets  
Jul 30 16:36:34 beastie snort: Breakdown by protocol:                Action
Stats: 
Jul 30 16:36:34 beastie snort:     TCP: 1823649555 (431.487%)
ALERTS: 1255166    
Jul 30 16:36:34 beastie snort:     UDP: 91051690   (21.543%)         LOGGED:
1255166    
Jul 30 16:36:34 beastie snort:    ICMP: 11718943   (2.773%)          PASSED:
0          
Jul 30 16:36:34 beastie snort:     ARP: 4490650    (1.063%) 
Jul 30 16:36:34 beastie snort:    IPv6: 0          (0.000%) 
Jul 30 16:36:34 beastie snort:     IPX: 0          (0.000%) 
Jul 30 16:36:34 beastie snort:   OTHER: 8678010    (2.053%) 
Jul 30 16:36:34 beastie snort: DISCARD: 34         (0.000%) 
Jul 30 16:36:34 beastie snort:
============================================================================
=== 
Jul 30 16:36:34 beastie snort: Fragmentation Stats: 
Jul 30 16:36:34 beastie snort: Fragmented IP Packets: 301074     (0.071%) 
Jul 30 16:36:34 beastie snort:     Fragment Trackers: 204480     
Jul 30 16:36:34 beastie snort:    Rebuilt IP Packets: 66603      
Jul 30 16:36:34 beastie snort:    Frag elements used: 145628     
Jul 30 16:36:34 beastie snort: Discarded(incomplete): 0          
Jul 30 16:36:34 beastie snort:    Discarded(timeout): 204435     
Jul 30 16:36:34 beastie snort:   Frag2 memory faults: 0          
Jul 30 16:36:34 beastie snort:
============================================================================
=== 
Jul 30 16:36:34 beastie snort: TCP Stream Reassembly Stats: 
Jul 30 16:36:34 beastie snort:         TCP Packets Used: 0          (0.000%)

Jul 30 16:36:34 beastie snort:          Stream Trackers: 0          
Jul 30 16:36:34 beastie snort:           Stream flushes: 0          
Jul 30 16:36:34 beastie snort:            Segments used: 0          
Jul 30 16:36:34 beastie snort:    Stream4 Memory Faults: 0          
Jul 30 16:36:34 beastie snort:
============================================================================
=== 

??

Virgil
virgil at ...6481...




More information about the Snort-users mailing list