[Snort-users] Testing problem, slow

Bryan Taylor bcptaylor at ...5068...
Mon Nov 24 04:13:03 EST 2003

I am attempting to conduct basic tests on Snort 2.0.1 (Build 88) running on
an RLX server blade with dual 2.8 Xeons and 2G RAM and on a Dell 2650, same
setup -- plenty of hardware IMHO to run on a Gig network.  The OS is RedHat
9 with kernel 2.4.20.  The test consists of throwing artifical traffic to a
number of ports on a Cisco switch simultaneously (this is not the issue).  I
began trying for 40Mbps, and I always get approximately 40% dropped packets.
Not believing this, I read about RedHat's libpcap error, and replaced it.  I
compiled libpcap-current from today from tcpdump.org, dated 22-nov-2003.  I
compiled snort, being sure to link with the only libpcap on the system (the
one I just compiled).  I run snort with the default ruleset in a script as
snort -c /etc/snort/snort.conf -i eth0 -b -Afast -l /var/log/snort/eth0 -I >
/var/log/snort/eth0/out 2> /var/log/snort/eth0/err &
sleep 2m
kill `pidof snort`

I have dropped the speed of the traffic to as low as 4Mbps, and I get about
the same 40% drop rate.  On the 2650, I ran ethereal in place of snort, and
ethereal reports very different numbers of packets total and dropped.  Both
snort and ethereal report unrealistic numbers, such as (ethereal) ~819,000
packet count, ~4100000 dropped.  The speed of the traffic coming in from the
source is exactly 10,416 packets per second, 64 bytes per packet.  In 2
minutes, there ought to be ~1.2 million packets...not far off from the
reported.  The speed ought to be ~5Mbps, also close to the reported.

So what am I missing?  Why is it a) so inaccurate in reporting dropped
packets or b) so slow?  Any input would be greatly appreciated.

bcptaylor at ...5068...

More information about the Snort-users mailing list