[Snort-users] Snort not seeing all packets

Matt Kettler mkettler at ...4108...
Tue Feb 22 12:41:13 EST 2005

At 02:45 PM 2/22/2005, sEc nErD wrote:
>I seem to have a strange problem on one of the
>interfaces  snort is not seeing all packets..like when
>i run tcp dump and run a port scan towards that
>sniffing interface i don't see it in the tcpdump
>also when i ctrl-c tcpdump
>it shows me large amounts of packets dropped by kernel
>compared to recieved in filter like almost 85%

Clearly your system isn't able to keep up. A few questions that might help 
you find some solutions:

1) What kind of data rate are we talking here? gigabit? 100m?

2) What kind of pcap library are you using? Are you using phil wood's 
enhanced pcap library?

3) what kind of network card are you using (this does matter.. some like 
the realtek 8129 are very inefficient in terms of CPU load).

4) What kind of CPU are you running on?

