[Snort-users] Snort inline extremely slow packet forwarding

Hussein Bahaidarah husseinb at ...11827...
Fri Jul 15 15:05:57 EDT 2011

Yes, I am bridging them in linux. This is what assumed should be done. Do you imply that I should break the bridge? will snort do the bridging instead? Eth1 is not used and not connected to any thing.

[root at ...15338... ~]# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0010184d122c       no              eth3


On Jul 15, 2011, at 9:50 PM, Michael Altizer wrote:

On 07/15/2011 02:41 PM, Hussein Bahaidarah wrote:
> Thanks Rmkml for help,
> I found a work around and I don't understand how and why it did work.
> First, let me explain my configuration:
> eth2 and eth3 are bridged and snort IP should run on them
> eth1 is not used
> when I use:  "snort    -N -K none -k notcp -c rules/inline -A console   --daq afpacket -i eth3:eth2   -Q"  the slowness problem appear
> my work around is to use " snort    -N -K none -k notcp -c rules/inline -A console   --daq afpacket -i eth3:eth1   -Q ". This works fine though eth1 is not used!!
A couple questions:

What do you mean by "eth2 and eth3 are bridged"?  You're not putting 
them into a Linux bridge (with brctl), right?

Why is eth1 not being used in the second scenario?

AppSumo Presents a FREE Video for the SourceForge Community by Eric 
Ries, the creator of the Lean Startup Methodology on "Lean Startup 
Secrets Revealed." This video shows you how to validate your ideas, 
optimize your ideas and identify your business strategy.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please see http://www.snort.org/docs for documentation

More information about the Snort-users mailing list