[Snort-users] Snort inline extremely slow packet forwarding

Michael Altizer xiche at ...3147...
Fri Jul 15 15:14:47 EDT 2011


Correct.  The inline mode of the AFPacket DAQ module handles all of the 
packet forwarding.  By putting those interfaces in a bridge, you are 
retransmitting every packet a second time in addition to all of the 
other overhead associated with Linux bridges.

On 07/15/2011 03:05 PM, Hussein Bahaidarah wrote:
> Yes, I am bridging them in linux. This is what assumed should be done. Do you imply that I should break the bridge? will snort do the bridging instead? Eth1 is not used and not connected to any thing.
>
> [root at ...15338... ~]# brctl show
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.0010184d122c       no              eth3
>                                                          eth2
>
> Thanks,
>
> On Jul 15, 2011, at 9:50 PM, Michael Altizer wrote:
>
> On 07/15/2011 02:41 PM, Hussein Bahaidarah wrote:
>> Thanks Rmkml for help,
>>
>> I found a work around and I don't understand how and why it did work.
>> First, let me explain my configuration:
>> eth2 and eth3 are bridged and snort IP should run on them
>> eth1 is not used
>>
>> when I use:  "snort    -N -K none -k notcp -c rules/inline -A console   --daq afpacket -i eth3:eth2   -Q"  the slowness problem appear
>>
>> my work around is to use " snort    -N -K none -k notcp -c rules/inline -A console   --daq afpacket -i eth3:eth1   -Q ". This works fine though eth1 is not used!!
>>
> A couple questions:
>
> What do you mean by "eth2 and eth3 are bridged"?  You're not putting
> them into a Linux bridge (with brctl), right?
>
> Why is eth1 not being used in the second scenario?




More information about the Snort-users mailing list