[Snort-users] Snort 2.0.5 dropping packets

Matt Kettler mkettler at ...4108...
Fri Dec 19 10:58:02 EST 2003

At 12:03 PM 12/19/2003, Sheahan, Paul wrote:
>Now I built a new Snort server on beefier hardware running RHLinux 8.0 and 
>Snort 2.0.5 and a gig NIC. The network it is on is running at 1000mb/s 
>(gig) though traffic levels are the same as the old network (35mb/s). Yet 
>Snort drops .2% (point 2 percent) of traffic on the default ruleset and 
>when I add my custom rule file (which has a lot of content based rules), 
>Snort drops massive amounts of packets (like 30 to 40%!)
>Any ideas why this would happen when it didn't happen on the lower end box 
>running at 100mb/s? Any tips on how I can avoid this? I confirmed that the 
>gig nic is running at 1000mb/s as it should be and the port on the switch 
>it is plugged into is forced at 1000mb/s.

Well, let's put it this way... 35mbps is the *average* thruput.. but that 
has little or nothing to do with packet drop rate..

What most affects packet drop rate is the minimum possible time between two 
packets. This is largely dependent on your peak wire-rate, not your average 

By switching to gigabit ethernet, even with only 35mbps flowing through it 
on average, you've made it possible for two packets to be 1/10th the 
distance apart in time. This is because routers can queue packets, and send 
a small burst of them at once.. The average is still 35mbps, but the 
instantaneous rate is gigabit, and that can go on until the router exhausts 
whatever pile of packets it has queued up.

TCP streams also tend to have this burstish behavior as the come out of the 
source machine. TCP has a rate limiter, but once an ack comes in and opens 
up the window, it can crank out a bunch of segments until the window is 
exhausted or one of the rate limiting systems kicks in (congestion 
avoidance and/or slow start).

More information about the Snort-users mailing list