Snort mailing list archives
Re: Dropped: 236694431 (64.559%) 64% packet loss
From: Pedro Marinho <pppmarinho () gmail com>
Date: Fri, 12 Jun 2009 16:45:19 -0300
Martin, the memory is MemTotal: 1034648 kB CPU is processor : 0 vendor_id : GenuineIntel cpu family : 6 model : 15 model name : Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz stepping : 13 cpu MHz : 1607.746 cache size : 1024 KB physical id : 0 siblings : 2 core id : 0 cpu cores : 2 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 10 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl est tm2 cx16 xtpr lahf_lm bogomips : 3218.04 processor : 1 vendor_id : GenuineIntel cpu family : 6 model : 15 model name : Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz stepping : 13 cpu MHz : 1607.746 cache size : 1024 KB physical id : 0 siblings : 2 core id : 1 cpu cores : 2 fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no fpu : yes fpu_exception : yes cpuid level : 10 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx lm constant_tsc pni monitor ds_cpl est tm2 cx16 xtpr lahf_lm bogomips : 3215.53 the stream5 is like this : #preprocessor stream5_global: max_tcp 8192, track_tcp yes,memcap 67108864, \ preprocessor stream5_global: max_tcp 8192, track_tcp yes,memcap 134217728, \ track_udp yes preprocessor stream5_tcp: policy windows, use_static_footprint_sizes, \ ports client 21 23 25 42 53 80 135 136 137 139 143 110 111 445 465 513 691 1433 1521 2100 2301 3128 3306 8000 8080 8180 8888 preprocessor stream5_udp: ignore_any_rules and the frag3 preprocessor is preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy windows timeout 180 thanks for the help, i should make this upgrade to the 2.8.4 version of snort. is there something i should do in the snort.conf file to solve this temporarily until i make the snort upgrade ? Hi Pedro, and after Joel, please update to 2.8.4 for more performance... and use "ac-bnfa" search-method... Regards Rmkml Crusoe-Researches.com I will change the search method too.. thanks guys ! 2009/6/12 Martin Roesch <roesch () sourcefire com>
Also, what's the CPU and RAM on the box? How is stream5 and frag3 configured? You should also upgrade to the 2.8.4 series, it has significant performance improvements in the detection engine. Marty On Fri, Jun 12, 2009 at 3:05 PM, Joel Esler<jesler () sourcefire com> wrote:On Fri, Jun 12, 2009 at 2:44 PM, Pedro Marinho<pppmarinho () gmail com>wrote:Hello Gentlemen, I am having some Dropped packet problems here with snort. I already did change the search method to lowmem but i am still loosing packets.. ididrun snort for about 4405.825615 seconds and the traffic here is about 210976.40 kbits/sec is 4405.825615 seconds a short time to run snort ? Is there something i've got to do in snort.conf to solve this matter?Possibly, what is your output method? That's probably a good starting point for us to ask. joeli am watching traffic at eth2 it is a 06:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5721GigabitEthernet PCI Express (rev 21) Subsystem: Dell Unknown device 023c Flags: bus master, fast devsel, latency 0, IRQ 218 Memory at dfef0000 (64-bit, non-prefetchable) [size=64K] Capabilities: [48] Power Management version 2 Capabilities: [50] Vital Product Data Capabilities: [58] Message Signalled Interrupts: Mask- 64bit+ Queue=0/3 Enable+ Capabilities: [d0] Express Endpoint IRQ 0 Capabilities: [100] Advanced Error Reporting Capabilities: [13c] Virtual Channel Capabilities: [160] Device Serial Number d0 Capabilities: [16c] Power Budgeting//-----------------------------------------------------------------------------------------------------------== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.8.0.1 (Build 72) '''' By Martin Roesch & The Snort Team:http://www.snort.org/team.html(C) Copyright 1998-2007 Sourcefire Inc., et al. Using PCRE version: 7.2 2007-06-19 Rules Engine: SF_SNORT_DETECTION_ENGINE Version 1.6 <Build11>Preprocessor Object: SF_SMTP Version 1.0 <Build 7> Preprocessor Object: SF_SSH Version 1.0 <Build 1> Preprocessor Object: SF_FTPTELNET Version 1.0 <Build 10> Preprocessor Object: SF_DCERPC Version 1.0 <Build 4> Preprocessor Object: SF_DNS Version 1.0 <Build 2> Not Using PCAP_FRAMES *** Caught Int-Signal Run time prior to being shutdown was 4405.825615 seconds===============================================================================Packet Wire Totals: Received: 366635284 Analyzed: 129940618 (35.441%) Dropped: 236694431 (64.559%) Outstanding: 235 (0.000%)===============================================================================Breakdown by protocol (includes rebuilt packets): ETH: 130192920 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 130114384 (99.940%) IP4disc: 7 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 52209130 (40.101%) UDP: 77359186 (59.419%) ICMP: 290867 (0.223%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 82 (0.000%) FRAG 6: 0 (0.000%) ARP: 10851 (0.008%) EAPOL: 0 (0.000%) ETHLOOP: 610 (0.000%) IPX: 0 (0.000%) OTHER: 69983 (0.054%) DISCARD: 7 (0.000%) InvChkSum: 30 (0.000%) Upconvt: 0 (0.000%) Up fail: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 252286 (0.194%) Total: 130192920===============================================================================Action Stats: ALERTS: 23 LOGGED: 23 PASSED: 0===============================================================================Frag3 statistics: Total Fragments: 82 Frags Reassembled: 16 Discards: 6 Memory Faults: 0 Timeouts: 0 Overlaps: 0 Anomalies: 0 Alerts: 0 FragTrackers Added: 63 FragTrackers Dumped: 63 FragTrackers Auto Freed: 0 Frag Nodes Inserted: 79 Frag Nodes Deleted: 79===============================================================================Stream5 statistics: Total sessions: 1628891 TCP sessions: 1345654 UDP sessions: 283237 ICMP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 1359004 TCP StreamTrackers Deleted: 1359004 TCP Timeouts: 1196 TCP Overlaps: 235910 TCP Segments Queued: 2186861 TCP Segments Released: 2186861 TCP Rebuilt Packets: 492515 TCP Segments Used: 703168 TCP Discards: 35617053 UDP Sessions Created: 327597 UDP Sessions Deleted: 327597 UDP Timeouts: 44360 UDP Discards: 0 Events: 0===============================================================================HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 14653 GET methods: 106636 Post parameters extracted: 5944 Unicode: 0 Double unicode: 0 Non-ASCII representable: 34925 Base 36: 0 Directory traversals: 1 Extra slashes ("//"): 9926 Self-referencing paths ("./"): 1 Total packets processed: 35374294===============================================================================Snort exiting------------------------------------------------------------------------------Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- joel esler | Sourcefire | gtalk: jesler () sourcefire com | 302-223-5974------------------------------------------------------------------------------Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Martin Roesch (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 12)
- <Possible follow-ups>
- Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Jason Wallace (Jun 16)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 12)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Joel Esler (Jun 17)
- Re: Dropped: 236694431 (64.559%) 64% packet loss Pedro Marinho (Jun 17)