Snort mailing list archives
RE: Snort stopping - too much traffic?
From: Scott Williams <Sawilliams () mdch com>
Date: Tue, 29 Oct 2002 08:48:38 -0700
I'm on RH 7.3, with 3COM NICS, and Snort 1.9. The computer is dual-cpu and it only shows about 50% utilization, so I suspect the problem is the NICs. Does anyone have a 100MB NIC recommendation? -----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Monday, October 28, 2002 5:27 PM To: Scott Williams Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort stopping - too much traffic? On Mon, 28 Oct 2002, Scott Williams wrote:
I'm running Snort with a 100MB NIC and everything was fine until I started sending it more traffic. I'm now sending about 40Mbps to it and it will run for an hour or so and then stop. I get the syslog message "kernel: eth1: Too much work in interrupt, status e401". I wonder if this is what happens when the NIC buffers get too full. Anyone had a similar experience?
1.9.0 doesn't seem to exhibit this, or at least in my setup. I'd guess that you are running < 1.8.7. Another thing that you might want to check is your card, driver and kernel. I know that a _LOT_ of folks are using it on quite a bit more traffic (x 2.5+) with no issues. That would tend to point to your hardware and not to snort. Is this a slow box or a 'generic' nic? If so, you might want to consider changing hardware. If you dig around on Intel's site you can/could find a 'demo unit' offer for a 10/100/1000 card for $39.00 (USD). Since NIC's are cheaper than boxes, you might want to check that out. :) Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort stopping - too much traffic? Scott Williams (Oct 28)
- Re: Snort stopping - too much traffic? Erek Adams (Oct 28)
- how to log everything to log file? s.wun (Oct 28)
- Re: how to log everything to log file? Erek Adams (Oct 28)
- how to log everything to log file? s.wun (Oct 28)
- <Possible follow-ups>
- RE: Snort stopping - too much traffic? Scott Williams (Oct 29)
- RE: Snort stopping - too much traffic? Wayne T Work (Oct 29)
- Re: Snort stopping - too much traffic? Erek Adams (Oct 28)