Snort mailing list archives

RE: Dropping packets why?

From: "Elijah Savage" <esavage () digitalrage org>
Date: Mon, 27 Oct 2003 19:07:49 -0500

Oh yeah and by the way the firewall works great and does not drop any
packets until enabling snort, and if I enable snort and barnyard the cpu
never gets above 0.5% while using TOP.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Elijah
Savage
Sent: Monday, October 27, 2003 6:50 PM
To: Michael Sierchio; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Dropping packets why?

Thank you all for reading my post but it seems you all did not read it
and looked at my measly hardware and wanted to jump all over it. But
this is for a cable internet connection 3megabitsDown/512up This machine
should be way more than enough to keep up considering some of the
hardware I have seen on some of the connections they are using.

It has to be a config problem.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Michael
Sierchio
Sent: Monday, October 27, 2003 3:50 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Dropping packets why?

O'Flynn, Derek wrote:

I have a 15mb pipe to the Internet, this is reports from tcpdump.

Dual p133 256mb I drop 50% packets.

Quad ppro200 1gb I drop about 20%.

Both were running FreeBSD 5.1 with custom SMP kernels and 3com905.


a 133MHz Elan (486) w/direct write to mfs (ram disk) and rotating
using tcpdump -c to NFS-mounted media drops no packets at twice
T1 speed.  That's observed performance, I haven't seen data rates
yet where it starts dropping packets.  One bottleneck is
in the Berkeley Packet Filter (copying buffers to kernel and then
to user space) and another the filesystem (softupdates or async
might help -- I use the latter on the mfs, figuring it's the battery
that provides integrity ;-)

With Phil Wood's buffer tweak, there's no reason a 200MHz PPro
should drop any packets (unless you're doing dns lookups, of course)
at your 1/3 DS3 rate.

-- 

"Well," Brahma said, "even after ten thousand explanations, a fool is no
  wiser, but an intelligent man requires only two thousand five
hundred."
                 - The Mahabharata



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Dropping packets why?, (continued)
- - Message not available
    - Re: Dropping packets why? Matt Kettler (Oct 27)
- Re: Dropping packets why? Edin Dizdarevic (Oct 27)
- RE: Dropping packets why? O'Flynn, Derek (Oct 27)
  - Re: Dropping packets why? Michael Sierchio (Oct 27)
    - copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
    - RE: copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
    - Re: copious (snort_decoder) WARNING: Not IPv4 datagram! Geoff (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
  - Message not available
    - RE: Dropping packets why? Matt Kettler (Oct 27)
  - RE: Dropping packets why? Paul Schmehl (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)