[Snort-users] packet loss

Matt Kettler mkettler at ...4108...
Tue Sep 28 11:02:01 EDT 2004


At 10:13 AM 9/28/2004, Larry Wichman wrote:
>In the course of my testing of Snort I have averaged about 40% packet 
>loss. I am running Snort on Fedora. The segment I am monitoring is 100 mb 
>and is very busy. Does anyone have any recommendations for tuning Snort to 
>not drop so many packets? Is there any recommendations for hardware? The 
>CPU is running at about 40% and the memory looks fine.
>

First, I'd make sure your setup is reasonably optimized.

What logging modes are you using? switching to tcpdump or unified packet 
logging is a HUGE improvement from the default plain text-mode logging.


Then some simple low-cost hardware checks:
Are you digging into your swap partition, or do you have sufficient ram?

What kind of NIC are you using? A Realtek RT8139 is a popular, but very 
inefficient network controller. Look into something with more efficient DMA 
alignments (Dec tulip, Intel eepro, etc). The newer gigabit realtek 8169 
part is fairly reasonable from what I hear, but I've not tested it.






More information about the Snort-users mailing list