[Snort-users] Dropping packets when using a sniffer and snort together

Jeremy Hoel jthoel at ...11827...
Tue Oct 2 15:36:19 EDT 2012


Are you using the pf_ring NIC drivers?  That might be a good first start.

On Tue, Oct 2, 2012 at 6:42 PM, Abhishek Sharma
<abhisheksharma84 at ...11827...> wrote:
> Hi,
>
> Maybe this is not a question I should be putting on this forum at all but I
> nevertheless wanted to give it a shot. I have a high speed network and
> wanted to give snort inline a shot. It seems to work really well.
>
> The trouble comes when I try to club it with my sniffer. So basically I have
> 3 instances of snort inline running on ethX alongwith my custom sniffer
> trying to write all those packets to a pcap file on the disk (I have some
> requirements to store ALL the packets as well). I have observed that the
> sniffer works well when run standalone but starts dropping packets when
> snort is also running in parallel in inline mode.
>
> What could be the possible reasons? Is it that the CPU is starved of some
> READ operations as 3-4 processes are trying to process packets on the same
> interface???
>
> Abhi
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list