Snort mailing list archives
Snort-2.9.0.5 and Jumbo Frames
From: "Chinmay Mahata" <chinmay_mahata () rediffmail com>
Date: 12 Nov 2012 14:24:08 -0000
Hi, I am new to this list and this is my first post in this mailing list. Hope I am asking to the right group. I am running snort-2.9.0.5 with daq-0.5 on a fedora 13 (configured as bridge with ports eth0 as LAN and eth1 as WAN) box in inline mode with daq and other options given below. And multiple instances of Snort. ./snort -D -q -Q -c /tmp/etc/snort.conf --daq nfq --daq-var queue=3 --daq-var queue_len=1024 --daq-var device=br0 In snort.conf we put the following lines. config snaplen: 65536 preprocessor dcerpc2: memcap 102400, events [co ], max_frag_len 65535 Also set the MTU on br0, eth0 and eth1 as 9000 While running tcpdump in both eth0 and eth1, we observed that. 1. Jumbo packets (length > 1518) are coming to Snort on eth1 (WAN). 2. But on the LAN side we could not find any such Jumbo packets. Seems packets are getting dropped by Snort. 3. Also throughput is very very slow. Sometimes web pages are not opening at all. But if we do not run Snort or by-pass packets then there is no such problem we are facing. Could anybody please help me to figure out and fix the problem. Thanks in advance. Best regards, --Chinmay
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort-2.9.0.5 and Jumbo Frames Chinmay Mahata (Nov 12)