Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [Snort-users] snort packet loss rate

2 views
Skip to first unread message

Justin Heath

unread,
May 10, 2006, 5:44:35 PM5/10/06
to

What version of libpcap are you using? I ask because there seems to be an
issue regarding version 0.9.4 counting received packets twice.


Thanks,
Justin Heath


On Tuesday 25 April 2006 03:51, Jin Fang wrote:
> I have deployed snort in a gigabyte interface.
> I noticed that the packet loss rate is quite high,
> over 80%. Even after I disabled all preprocessors,
> loading no rules, still the loss rate is about 15%.
> Also the kernel has been compiled with device_polling
> option and this freebsd box has 4GB memory.
> What is now the factor to affect this loss rate?
>
> Thanks
> Jin


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Justin Heath

unread,
May 10, 2006, 5:44:44 PM5/10/06
to

Downgrade your libpcap and you should see your packet count stats drop by 1/2.
Either that or ignore the fact that libpcap is counting them twice.


Cheers,
Justin Heath

On Wednesday 26 April 2006 09:48, Jin Fang wrote:
> > What version of libpcap are you using? I ask because there seems to be an
> > issue regarding version 0.9.4 counting received packets twice.
>

> Yes, I am using latest 0.9.4 version and latest snort 2.4.4
> Do you mean I should use old version of tcpdump?

Justin Heath

unread,
May 10, 2006, 5:44:52 PM5/10/06
to

I am assuming that you recompiled snort and tcpdump with 0.8.3.

I can't say for sure the the libpcap behavior is causing your issue,
however, I have seen that behavior in 0.9.4.

Also, keep in mind whenever you kill snort there are still unprocessed packets
it has not been able to pull from the buffer. This will also skew your
results. The packets that are still outstanding are currently reported in
your overall received packets count. We have recently added a category for
outstanding packets that will clarify this issue. I believe this will be part
of the 2.6.0 release.

Anyway, if you are seeing the same behaviour with other tools such as tcpdump
the issue is external to Snort.


On Wednesday 26 April 2006 10:38, Jin Fang wrote:
> I just tried libpcap 0.8.3
> No difference.


>
> > Downgrade your libpcap and you should see your packet count stats drop by
> > 1/2.
> > Either that or ignore the fact that libpcap is counting them twice.
> >
> >
> > Cheers,
> > Justin Heath

0 new messages