Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort may not be dropping any packets but is libpcap?

From: Seth Art <sethart () gmail com>
Date: Thu, 23 Dec 2004 13:06:16 -0500
So I have been mirroring my lan traffic to my snort machine which isnt
anything that fast for a couple of months now.  It's a  1.4 mhz with i
think 256 of RAM running FC2.  Maybe there is a better way to do this,
but periodically I stop the snort daemon (version 2.2.0 by the way)
and run it without -D for say 20 minutes and then stop it manually.  I
then scan the output for the dropped packets line and it's usually
zero but sometimes its .1% or something which I can live with.   I
thought all was well.

I recently set up ntop and decided I already have an interface seeing
all the mirrored traffic so I ran ntop on the my snort machine.  I was
concerned that running ntop would affect snort and make it drop
packets so I ran snort again without -D and was happy to see that it
was not dropping any more packets than usual.  It was a tenth of a
percent.

BUT... to my surprise when i was looking at the NTOP stats it said
that although NTOP was also not dropping ANYTHING, that libpcap was
dropping 25-50 percent.   What the hell is that all about.   I stopped
snort and ran NTOP again and still the 25-50 percent.

Does this mean that although snort hasn't been dropping anything for
the past couple of months that libpcap has been dropping a quarter of
my traffic without my knowing it?

I am a little confused.  Can anyone help shed some light?    Thanks

-Seth


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: