|
Home > Archive > Snort > September 2004 > [Snort-users] packet loss
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
[Snort-users] packet loss
|
|
| Larry Wichman 2004-09-28, 5:47 pm |
| --0-1450687225-1096380832=:5284
Content-Type: text/plain; charset=us-ascii
In the course of my testing of Snort I have averaged about 40% packet loss. I am running Snort on Fedora. The segment I am monitoring is 100 mb and is very busy. Does anyone have any recommendations for tuning Snort to not drop so many packets? Is there a
ny recommendations for hardware? The CPU is running at about 40% and the memory looks fine.
~Larry
---------------------------------
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
--0-1450687225-1096380832=:5284
Content-Type: text/html; charset=us-ascii
<DIV>In the course of my testing of Snort I have averaged about 40% packet loss. I am running Snort on Fedora. The segment I am monitoring is 100 mb and is very busy. Does anyone have any recommendations for tuning Snort to not drop so many packets?
Is there any recommendations for hardware? The CPU is running at about 40% and the memory looks fine. </DIV>
<DIV> </DIV>
<DIV>~Larry</DIV><p>
<hr size=1>Do you Yahoo!?<br>
<a href="http://us.rd.yahoo.com/mail_us/taglines/50x/*http://promotions.yahoo.com/new_mai...efficiency.html">Yahoo! Mail</a> - 50x more storage than other providers!
--0-1450687225-1096380832=:5284--
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| sekure 2004-09-28, 5:47 pm |
| 64bit PCI-X NICs, fast bus.
And patches for libpcap.
Either this: http://public.lanl.gov/cpw/
or this: http://www.ntop.org/PF_RING.html
----- Original Message -----
From: Larry Wichman <larrywichman@yahoo.com>
Date: Tue, 28 Sep 2004 07:13:52 -0700 (PDT)
Subject: [Snort-users] packet loss
To: snort-users@lists.sourceforge.net
In the course of my testing of Snort I have averaged about 40% packet
loss. I am running Snort on Fedora. The segment I am monitoring is 100
mb and is very busy. Does anyone have any recommendations for tuning
Snort to not drop so many packets? Is there any recommendations for
hardware? The CPU is running at about 40% and the memory looks fine.
~Larry
________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Matt Kettler 2004-09-28, 5:47 pm |
| At 10:13 AM 9/28/2004, Larry Wichman wrote:
>In the course of my testing of Snort I have averaged about 40% packet
>loss. I am running Snort on Fedora. The segment I am monitoring is 100 mb
>and is very busy. Does anyone have any recommendations for tuning Snort to
>not drop so many packets? Is there any recommendations for hardware? The
>CPU is running at about 40% and the memory looks fine.
>
First, I'd make sure your setup is reasonably optimized.
What logging modes are you using? switching to tcpdump or unified packet
logging is a HUGE improvement from the default plain text-mode logging.
Then some simple low-cost hardware checks:
Are you digging into your swap partition, or do you have sufficient ram?
What kind of NIC are you using? A Realtek RT8139 is a popular, but very
inefficient network controller. Look into something with more efficient DMA
alignments (Dec tulip, Intel eepro, etc). The newer gigabit realtek 8169
part is fairly reasonable from what I hear, but I've not tested it.
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Marc Norton 2004-09-29, 7:57 pm |
| This is a multi-part message in MIME format.
------=_NextPart_000_0022_01C4A615.E71343E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
If you have plenty of cpu and memory I am assuming you are not page
faulting, in which case you might just need to use the mmap version of
libpcap. It uses less cpu than the standard pcap, but also has much less
packet latency during sniffing so it does not drop as much.
-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Larry
Wichman
Sent: Tuesday, September 28, 2004 10:14 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] packet loss
In the course of my testing of Snort I have averaged about 40% packet
loss. I am running Snort on Fedora. The segment I am monitoring is 100
mb and is very busy. Does anyone have any recommendations for tuning
Snort to not drop so many packets? Is there any recommendations for
hardware? The CPU is running at about 40% and the memory looks fine.
~Larry
_____
Do you Yahoo!?
Yahoo!
<http://us.rd.yahoo.com/mail_us/tagl...tions.yahoo.com
/new_mail/static/efficiency.html> Mail - 50x more storage than other
providers!
------=_NextPart_000_0022_01C4A615.E71343E0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C4A615.E6BF3070">
<link rel=3DEdit-Time-Data href=3D"cid:editdata.mso@01C4A615.E6BF3070">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
..shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"time"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"date"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PersonName"/>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]--><!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:553679495 -2147483648 8 0 66047 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;
text-underline:single;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dblue style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>If you have plenty of cpu and<span
style=3D'mso-spacerun:yes'> </span>memory I am assuming you are =
not page
faulting, in which case you might just need to use the mmap version of =
libpcap.
It uses less cpu than the standard pcap, but also has much less packet =
latency
during sniffing so it does not drop as =
much.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div style=3D'border:none;border-left:solid blue 1.5pt;padding:0in 0in =
0in 4.0pt'>
<p class=3DMsoNormal><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma'>-----Original Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b>
snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] <b><span =
style=3D'font-weight:
bold'>On Behalf Of </span></b>Larry Wichman<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> =
</span></font><st1:date
Month=3D"9" Day=3D"28" Year=3D"2004"><font size=3D2 face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma'>Tuesday, September 28, =
2004</span></font></st1:date><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma'> </span></font><st1:time
Hour=3D"10" Minute=3D"14"><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma'>10:14 AM</span></font></st1:time><font size=3D2 =
face=3DTahoma><span
style=3D'font-size:10.0pt;font-family:Tahoma'><br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
</span></font><st1:PersonName><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma'>snort-users@lists.sourcefor=
ge.net</span></font></st1:PersonName><font
size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma'><br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] =
packet loss</span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>In the course of my testing of Snort I have averaged about 40% =
packet
loss. I am running Snort on Fedora. The segment I am monitoring =
is 100 mb
and is very busy. Does anyone have any recommendations for tuning Snort =
to not
drop so many packets? Is there any recommendations for hardware? The CPU =
is
running at about 40% and the memory looks fine. =
<o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>~Larry<o:p></o:p></span></font></p>
</div>
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
<hr size=3D1 width=3D"100%" align=3Dcenter>
</span></font></div>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Do you Yahoo!?<br>
<a
href=3D"http://us.rd.yahoo.com/mail_us/taglines/50x/*http:/promotions.yah=
oo.com/new_mail/static/efficiency.html">Yahoo!
Mail</a> - 50x more storage than other =
providers!<o:p></o:p></span></font></p>
</div>
</div>
</body>
</html>
------=_NextPart_000_0022_01C4A615.E71343E0--
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
| |
| Jose Maria Lopez 2004-09-29, 7:57 pm |
| El mar, 28 de 09 de 2004 a las 16:13, Larry Wichman escribi=C3=B3:
> In the course of my testing of Snort I have averaged about 40% packet
> loss. I am running Snort on Fedora. The segment I am monitoring is 100
> mb and is very busy. Does anyone have any recommendations for tuning
> Snort to not drop so many packets? Is there any recommendations for
> hardware? The CPU is running at about 40% and the memory looks fine.=20
> =20
> ~Larry
First thing you should do it's to check the rules you are
using and remove the ones that don't apply to your system
or are not useful to you. Tunning the rules will give you
a performance boost.
Second thing it's logging in binary format instead of logging
in ascii format. You can use then barnyard to generate the
logs in ascii format or log to a database. That will be another
huge performance boost.
--=20
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPA=C3=91A
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourn...guidepromo.tmpl
________________________________________
_______
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists...nfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf....ist=snort-users
|
|
|
|
|