[Snort-users] Kernel Dropping Packets

Arseneault, Thomas (HQP) thomas.arseneault at ...13070...
Wed Mar 9 12:22:01 EST 2005

Logging to the console is rate limited depending on the OS your using.
I've had Solaris machines with consoles limited to 9600 baud. I don't
recall right now how/where to check your console speed but that is what
I'd bet the problem is. You start writing to the console and the buffer
fills up and blocks the text steam causing the kernel to stop processing
packets, you processor is fine and more than capable of keeping up but
it's told not to. Files will write as fast as he platter and heads and
interface will let you. You might be able to increase the speed of the
console but you'll get to a point, early on, where the stream speeds by
too fast to be of any use and any thing interesting will flow past the
end of the scroll back buffer.

Tom Arseneault
Security Engineer 
Robert Half International

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of sEc nErD
Sent: Wednesday, March 09, 2005 8:58 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] Kernel Dropping Packets

I stopped my snort ,Whenevr i use tcp dump on the sniffing interfaces to
write tot he console kernel drops 90% of the packets , but when i do tcp
dump to write to a file whatever ti sniffs it kernel drops zero packets.

Since writing to file requires less cpu usage and kernel doesnt drop
anything ,i am assuming my pcap is just working fine....but when we
write tot he console...the cpu cannot process info from pcap as

But my proccessor info and others dont give me any resource crunch
unless am interpreting them wrong..please let me know what cud be the
issue thanks any help on that below are outputs of meminfo,cpu info and
top -c #cat cpuinfo
processor       : 1
vendor_id       : GenuineIntel
cpu family      : 15
model           : 4
model name      : Intel(R) Pentium(R) 4 CPU 3.00GHz
stepping        : 1
cpu MHz         : 2996.236
cache size      : 1024 KB
physical id     : 0
siblings        : 2
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 5
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8
apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss
ht tm pbe pni monitor ds_cpl cid
bogomips        : 5980.16

#cat meminfo
cat meminfo
MemTotal:      1034584 kB
MemFree:        437504 kB
Buffers:        123512 kB
Cached:         222808 kB
SwapCached:          0 kB
Active:         336500 kB
Inactive:       172152 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:      1034584 kB
LowFree:        437504 kB
SwapTotal:     2040244 kB
SwapFree:      2040244 kB
Dirty:               4 kB
Writeback:           0 kB
Mapped:         155860 kB
Slab:            74228 kB
Committed_AS:   247860 kB
PageTables:       7340 kB
VmallocTotal:  3088376 

#top -c
Cpu(s):  0.2% us,  0.0% sy,  0.0% ni, 99.8% id,  0.0% wa,  0.0% hi,
0.0% si
Mem:   1034584k total,   597144k used,   437440k free,
  123512k buffers
Swap:  2040244k total,        0k used,  2040244k free,
  222808k cach

Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list