[Snort-users] packet loss
mkettler at ...4108...
Tue Sep 28 11:02:01 EDT 2004
At 10:13 AM 9/28/2004, Larry Wichman wrote:
>In the course of my testing of Snort I have averaged about 40% packet
>loss. I am running Snort on Fedora. The segment I am monitoring is 100 mb
>and is very busy. Does anyone have any recommendations for tuning Snort to
>not drop so many packets? Is there any recommendations for hardware? The
>CPU is running at about 40% and the memory looks fine.
First, I'd make sure your setup is reasonably optimized.
What logging modes are you using? switching to tcpdump or unified packet
logging is a HUGE improvement from the default plain text-mode logging.
Then some simple low-cost hardware checks:
Are you digging into your swap partition, or do you have sufficient ram?
What kind of NIC are you using? A Realtek RT8139 is a popular, but very
inefficient network controller. Look into something with more efficient DMA
alignments (Dec tulip, Intel eepro, etc). The newer gigabit realtek 8169
part is fairly reasonable from what I hear, but I've not tested it.
More information about the Snort-users