[Snort-users] Snort 2.0.5 dropping packets
mkettler at ...4108...
Fri Dec 19 10:58:02 EST 2003
At 12:03 PM 12/19/2003, Sheahan, Paul wrote:
>Now I built a new Snort server on beefier hardware running RHLinux 8.0 and
>Snort 2.0.5 and a gig NIC. The network it is on is running at 1000mb/s
>(gig) though traffic levels are the same as the old network (35mb/s). Yet
>Snort drops .2% (point 2 percent) of traffic on the default ruleset and
>when I add my custom rule file (which has a lot of content based rules),
>Snort drops massive amounts of packets (like 30 to 40%!)
>Any ideas why this would happen when it didn't happen on the lower end box
>running at 100mb/s? Any tips on how I can avoid this? I confirmed that the
>gig nic is running at 1000mb/s as it should be and the port on the switch
>it is plugged into is forced at 1000mb/s.
Well, let's put it this way... 35mbps is the *average* thruput.. but that
has little or nothing to do with packet drop rate..
What most affects packet drop rate is the minimum possible time between two
packets. This is largely dependent on your peak wire-rate, not your average
By switching to gigabit ethernet, even with only 35mbps flowing through it
on average, you've made it possible for two packets to be 1/10th the
distance apart in time. This is because routers can queue packets, and send
a small burst of them at once.. The average is still 35mbps, but the
instantaneous rate is gigabit, and that can go on until the router exhausts
whatever pile of packets it has queued up.
TCP streams also tend to have this burstish behavior as the come out of the
source machine. TCP has a rate limiter, but once an ack comes in and opens
up the window, it can crank out a bunch of segments until the window is
exhausted or one of the rate limiting systems kicks in (congestion
avoidance and/or slow start).
More information about the Snort-users