[Snort-users] 2.1.3rc1 Performance

Kreimendahl, Chad J Chad.Kreimendahl at ...4716...
Thu May 20 11:02:01 EDT 2004

If you run snort on that interface... You can kill -USR1 <pid> and it
will dump stats to syslog.  I'd also make sure to run a few different

You can tell tcpreplay to replay the packets at a certain rate, or even
at a certain multiplication of the original timing.   I'd recommend
doing it normal, doing it at twice the speed, and then doing it as fast
as possible for each of the two pcaps.    

-----Original Message-----
From: Gary_Portnoy at ...11307... [mailto:Gary_Portnoy at ...11307...] 
Sent: Thursday, May 20, 2004 11:10 AM
To: Kreimendahl, Chad J
Cc: snort-users at lists.sourceforge.net; Darren Webb
Subject: RE: [Snort-users] 2.1.3rc1 Performance

I'll know for sure tonight.  I am capturing exactly 1 million packets
tcpdump.  Tonight I'll connect two systems with a cross-over cable and
snort on one side with a stripped conf file and tcpreplay (Thanks Chad!)

on the other side to dump out the packets.  I'll run this with both 
versions and see what gets reported.  If libpcap 0.7.2 keeps reporting 0

dropped, I'll try to increase the rate to see if there is a point when
actually reports anything....

Gary Portnoy

"Kreimendahl, Chad J" <Chad.Kreimendahl at ...4716...>
05/20/2004 11:24 AM

        To:     "Darren Webb" <spyder007 at ...6436...>,
<Gary_Portnoy at ...11307...>
        cc:     <snort-users at lists.sourceforge.net>
        Subject:        RE: [Snort-users] 2.1.3rc1 Performance

The problem isn't freebsd, as far as anyone can tell.  The problem
to be with libpcap 0.8.3.  Using 0.7.2 resolves this reporting of
packets problem.   At this point I'm not completely sure that 0.8.3 is 
actually dropping packets, but may just be reporting drops when there

-----Original Message-----
From: Darren Webb [mailto:spyder007 at ...6436...] 
Sent: Wednesday, May 19, 2004 11:55 PM
To: Gary_Portnoy at ...11307...
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] 2.1.3rc1 Performance

We recently switched from Redhat based sensors to FreeBSD and noticed an
alarming jump in dropped packets as well.

You can also try this in addition to perfmon.  (FreeBSD 5.2.1 Snort
Libpcap 0.8.3)

Ps aux | grep snort
Kill -USR1 <pid>
Tail -100 /var/log/messages

(Of course, your commands will vary somewhat on Solaris.)

The output will show stats from when the Snort session was started.  You

then check the frag2 and stream4 preprocessors for possible memory
and discarded packets.  We were seeing 40% to 80% packet loss at times
by giving these preprocessors extra memory and defining the TTLs better
the snort.conf file we are now at 1% or lower.

Hope this helps some.


This message is for the named person's use only. This communication is
informational purposes only and has been obtained from sources believed
be reliable, but it is not necessarily complete and its accuracy cannot
guaranteed. It is not intended as an offer or solicitation for the
or sale of any financial instrument or as an official confirmation of
transaction. Moreover, this material should not be construed to contain
recommendation regarding, or opinion concerning, any security. It may
contain confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify
sender. You must not, directly or indirectly, use, disclose, distribute,

print, or copy any part of this message if you are not the intended 
recipient.  Any views expressed in this message are those of the
sender, except where the message states otherwise and the sender is 
authorized to state them to be the views of any such entity.

ITG Inc. reserves the right to monitor and archive all electronic 
communications through its network. 

ITG Inc. Member NASD, SIPC

More information about the Snort-users mailing list