[Snort-users] Snort stopping - too much traffic?

Scott Williams Sawilliams at ...7337...
Tue Oct 29 07:49:05 EST 2002


I'm on RH 7.3, with 3COM NICS, and Snort 1.9. The computer is dual-cpu and
it only shows about 50% utilization, so I suspect the problem is the NICs.
Does anyone have a 100MB NIC recommendation?

-----Original Message-----
From: Erek Adams [mailto:erek at ...577...] 
Sent: Monday, October 28, 2002 5:27 PM
To: Scott Williams
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort stopping - too much traffic?


On Mon, 28 Oct 2002, Scott Williams wrote:

> I'm running Snort with a 100MB NIC and everything was fine until I 
> started sending it more traffic. I'm now sending about 40Mbps to it 
> and it will run for an hour or so and then stop. I get the syslog 
> message "kernel: eth1: Too much work in interrupt, status e401". I 
> wonder if this is what happens when the NIC buffers get too full. 
> Anyone had a similar experience?

1.9.0 doesn't seem to exhibit this, or at least in my setup.  I'd guess that
you are running < 1.8.7.  Another thing that you might want to check is your
card, driver and kernel.  I know that a _LOT_ of folks are using it on quite
a bit more traffic (x 2.5+) with no issues.  That would tend to point to
your hardware and not to snort.

Is this a slow box or a 'generic' nic?  If so, you might want to consider
changing hardware.  If you dig around on Intel's site you can/could find a
'demo unit' offer for a 10/100/1000 card for $39.00 (USD).  Since NIC's are
cheaper than boxes, you might want to check that out.  :)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net




More information about the Snort-users mailing list