[Snort-users] Snort missing traffic...?

Rich Adamson radamson at ...2127...
Thu May 8 18:42:09 EDT 2003


> Bought a new Netgear 10 mb hub...Here is more info:
> I ran "snort -v -i eth0" and saw that is does in fact see traffic like arp 
> requests from other servers and I can see that snort sees POP3 traffic as 
> well from the firewall to our mail server on another network...Stopped 
> snort and it said it captured 911 out of 911 packets, dropping 0 packets.

That indicates your previous Dlink hub was acting as a switch. As I mentioned,
the Netgear box will do the same thing, but it seems to _only_ do it when 
one port is operated at 10 meg and a different port is operating at 100 meg.

> Now, I run a scan using Cerebus CIS5.0.02 at the same time run "snort -v -i 
> eth0...scan completes and I stop snort. I then see that snort analyzed 2705 
> out of 3870 packets, dropping 1165 (30%) packets. Why? I have zero 
> idea...SO. I am not sure what to do to get it to see the other traffic...

The 30% dropped packets is the result of net activity arriving faster
then what the snort machine can process it. In other words, it is directly
related to processor speed, amount of memory, bus speed, NIC card
efficiency, etc.  Most likely, the snort processor is undersized to handle
the data rate. But, will your network ever see real traffic loads that are 
similar to that created by Cerebus? Only you can answer that.

I'd suggest running snort on the live network for a hour/day and see what
your dropped packet rate happens to be, keeping in mind that any packets
dropped by snort _could_ just be those that you would want to know about.


