[Snort-users] snort packet loss rate

Justin Heath jheath at ...1935...
Wed May 10 14:44:39 EDT 2006


I am assuming that you recompiled snort and tcpdump with 0.8.3.

I can't say for sure  the the libpcap behavior is causing your issue,  
however, I have seen that behavior in 0.9.4.

Also, keep in mind whenever you kill snort there are still unprocessed packets 
it has not been able to pull from the buffer. This will also skew your 
results. The packets that are still outstanding are currently reported in 
your overall received packets count. We have recently added a category for 
outstanding packets that will clarify this issue. I believe this will be part 
of the 2.6.0 release.

Anyway, if you are seeing the same behaviour with other tools such as tcpdump 
the issue is external to Snort.


On Wednesday 26 April 2006 10:38, Jin Fang wrote:
> I just tried libpcap 0.8.3
> No difference.
>
> > Downgrade your libpcap and you should see your packet count stats drop by
> > 1/2.
> > Either that or ignore the fact that libpcap is counting them twice.
> >
> >
> > Cheers,
> > Justin Heath




More information about the Snort-users mailing list