[Snort-users] Testing problem

bcptaylor at ...5068... bcptaylor at ...5068...
Mon Nov 24 07:10:08 EST 2003


I am attempting to conduct basic tests on Snort 2.0.1 (Build 88) running on an RLX server blade with dual 2.8 Xeons and 2G RAM and on a Dell 2650, same setup -- plenty of hardware IMHO to run on a Gig network.  The OS is RedHat 9 with kernel 2.4.20.  The test consists of throwing artifical traffic to a number of ports on a Cisco switch simultaneously (this is not the issue).  I began trying for 40Mbps, and I always get approximately 40% dropped packets.  Not believing this, I read about RedHat's libpcap error, and replaced it.  I compiled libpcap-current from today from tcpdump.org, dated 22-nov-2003.  I compiled snort, being sure to link with the only libpcap on the system (the one I just compiled).  I run snort with the default ruleset in a script as such:
snort -c /etc/snort/snort.conf -i eth0 -b -Afast -l /var/log/snort/eth0 -I > /var/log/snort/eth0/out 2> /var/log/snort/eth0/err &
sleep 2m
kill `pidof snort`

I have dropped the speed of the traffic to as low as 4Mbps, and I get about the same 40% drop rate.  On the 2650, I ran ethereal in place of snort, and ethereal reports very different numbers of packets total and dropped.  Both snort and ethereal report unrealistic numbers, such as (ethereal) ~819,000 packet count, ~4100000 dropped.  The speed of the traffic coming in from the source is exactly 10,416 packets per second, 64 bytes per packet.  In 2 minutes, there ought to be ~1.2 million packets...not far off from the reported.  The speed ought to be ~5Mbps, also close to the reported.

So what am I missing?  Why is it a) so inaccurate in reporting dropped packets or b) so slow?  Any input would be greatly appreciated.  

Taylor
bcptaylor at ...5068...




More information about the Snort-users mailing list