[Snort-users] what causes packet drops with low cpu usage

Matt Kettler mkettler at ...4108...
Fri Jun 20 12:13:01 EDT 2003

At 08:17 AM 6/20/2003 -0400, Horta, Benny wrote:
>What would cause snort to drop packets even if the cpu is in the 20-30 
>percent range? It is about 2%

The two are completely unrelated.

CPU usage is an average load.. Averaged over a period of time, snort chewed 
up 20% of the CPU.. IMO for a snort box, anything over 5% average CPU usage 
should be considered high unless you're doing a stress test where you've 
got your network saturated with dummy traffic.

However, a packet drop is the result of snort not being able to respond 
fast enough at a given instant where a bunch of packets come in quickly. 
This has little to do with snort's average CPU usage.. This has to do with 
how long it takes snort to process a packet, and how close together the 
packets appear at a given moment in time. So it's the result of the 
instantaneous worst-case instead of an average.

