Snort mailing list archives
Re: Snort missing traffic...?
From: Rich Adamson <radamson () routers com>
Date: Thu, 8 May 2003 14:13:55 -0600
PJ,
Bought a new Netgear 10 mb hub...Here is more info: I ran "snort -v -i eth0" and saw that is does in fact see traffic like arp requests from other servers and I can see that snort sees POP3 traffic as well from the firewall to our mail server on another network...Stopped snort and it said it captured 911 out of 911 packets, dropping 0 packets.
That indicates your previous Dlink hub was acting as a switch. As I mentioned, the Netgear box will do the same thing, but it seems to _only_ do it when one port is operated at 10 meg and a different port is operating at 100 meg.
Now, I run a scan using Cerebus CIS5.0.02 at the same time run "snort -v -i eth0...scan completes and I stop snort. I then see that snort analyzed 2705 out of 3870 packets, dropping 1165 (30%) packets. Why? I have zero idea...SO. I am not sure what to do to get it to see the other traffic...
The 30% dropped packets is the result of net activity arriving faster then what the snort machine can process it. In other words, it is directly related to processor speed, amount of memory, bus speed, NIC card efficiency, etc. Most likely, the snort processor is undersized to handle the data rate. But, will your network ever see real traffic loads that are similar to that created by Cerebus? Only you can answer that. I'd suggest running snort on the live network for a hour/day and see what your dropped packet rate happens to be, keeping in mind that any packets dropped by snort _could_ just be those that you would want to know about. Rich ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort missing traffic...? PJ-ML (May 08)
- Message not available
- Re: Snort missing traffic...? PJ-ML (May 08)
- Re: Snort missing traffic...? PJ-ML (May 08)
- Re: Snort missing traffic...? Rich Adamson (May 08)
- Re: Snort missing traffic...? PJ-ML (May 08)
- Message not available
- <Possible follow-ups>
- RE: Snort missing traffic...? Ponte, Paul F (May 08)