[Snort-users] Snort stopping - too much traffic?
Sawilliams at ...7337...
Tue Oct 29 07:49:05 EST 2002
I'm on RH 7.3, with 3COM NICS, and Snort 1.9. The computer is dual-cpu and
it only shows about 50% utilization, so I suspect the problem is the NICs.
Does anyone have a 100MB NIC recommendation?
From: Erek Adams [mailto:erek at ...577...]
Sent: Monday, October 28, 2002 5:27 PM
To: Scott Williams
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort stopping - too much traffic?
On Mon, 28 Oct 2002, Scott Williams wrote:
> I'm running Snort with a 100MB NIC and everything was fine until I
> started sending it more traffic. I'm now sending about 40Mbps to it
> and it will run for an hour or so and then stop. I get the syslog
> message "kernel: eth1: Too much work in interrupt, status e401". I
> wonder if this is what happens when the NIC buffers get too full.
> Anyone had a similar experience?
1.9.0 doesn't seem to exhibit this, or at least in my setup. I'd guess that
you are running < 1.8.7. Another thing that you might want to check is your
card, driver and kernel. I know that a _LOT_ of folks are using it on quite
a bit more traffic (x 2.5+) with no issues. That would tend to point to
your hardware and not to snort.
Is this a slow box or a 'generic' nic? If so, you might want to consider
changing hardware. If you dig around on Intel's site you can/could find a
'demo unit' offer for a 10/100/1000 card for $39.00 (USD). Since NIC's are
cheaper than boxes, you might want to check that out. :)
More information about the Snort-users