[Snort-users] Re: Snort not logging all packets

James Affeld jamesaffeld at ...131...
Tue Mar 8 11:30:34 EST 2005


Is snort running at the same time as tcpdump?  How
busy is the network and how busy is the box monitoring
it?  

If you have a sensor attached to a 100 megabit span
port on a switch with a 32 gigabit backplane, you
might  well expect to miss a lot of packets.  

if it's a Unix/linux/bsd-based sensor you can run top
to get the top 10 running processes, and overall cpu
and memory usage.  


> 
> Message: 6
> Date: Mon, 7 Mar 2005 11:41:05 -0800 (PST)
> From: sEc nErD <umkcguy1978 at ...131...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Snort not logging all packets
> 
> --0-627745955-1110224465=:77350
> Content-Type: text/plain; charset=us-ascii
> 
> 
> Hi all,
>  
> I am runnning snort on a fedora box and i started
> with a doubt that it is not logging all the packets.
> I checked it with tcp dump and when i stop tcpdump i
> see 90% of the packets being dropped by the kernel.
> When i see /var/log/messages 
> i see the below error for both sniffing interfaces
>  
> OpenPcap() device eth0 network lookup:  ^Ieth0: no
> IPv4 address assigned
>  
> I checked the version of libpcap running it is
>  " libpcap-0.8.3-3 "
> Output of # uname -a  
>  
> Linux localhost.localdomain 2.6.5-1.358smp #1 SMP
> Sat May 8 09:25:36 EDT 2004 i686 i686 i386 GNU/Linux
>  
> If anybody could help me on this i would really
> appreciate it.
> thanks all,
> kaps
> 



	
		
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/




More information about the Snort-users mailing list