Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort packet loss rate

From: Justin Heath <jheath () sourcefire com>
Date: Wed, 26 Apr 2006 10:56:00 -0400


I am assuming that you recompiled snort and tcpdump with 0.8.3.

I can't say for sure  the the libpcap behavior is causing your issue,  
however, I have seen that behavior in 0.9.4.

Also, keep in mind whenever you kill snort there are still unprocessed packets 
it has not been able to pull from the buffer. This will also skew your 
results. The packets that are still outstanding are currently reported in 
your overall received packets count. We have recently added a category for 
outstanding packets that will clarify this issue. I believe this will be part 
of the 2.6.0 release.

Anyway, if you are seeing the same behaviour with other tools such as tcpdump 
the issue is external to Snort.


On Wednesday 26 April 2006 10:38, Jin Fang wrote:

I just tried libpcap 0.8.3
No difference.


Downgrade your libpcap and you should see your packet count stats drop by
1/2.
Either that or ignore the fact that libpcap is counting them twice.


Cheers,
Justin Heath



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: