RE: 5.2.1 + snort, dropping packets

From: Don Bowman (don_at_sandvine.com)
Date: 05/25/04

  • Next message: Klaus Robert Suetterlin: "correction: fatal trap 12 when booting without ACPI (was wrongly Re: Fatal Trap 12 that goes away with NO ACPI --- anyone interested?)" 
    To: 'Sergey Lyubka' <devnull@uptsoft.com>, freebsd-current@freebsd.org
Date: Tue, 25 May 2004 09:12:04 -0400

    From: Sergey Lyubka [mailto:devnull@uptsoft.com]
    > hackers,
    > I am running snort on 5.2.1-RELEASE, and I am getting high
    > dropped packets rate. traffic is quiet, about 1kpps, the box
    > runs on xeon
    > processor, intel gigabit NICs (em driver), system load is low:
    >
    > CPU states: 1.9% user, 5.1% nice, 1.6% system, 4.7%
    > interrupt, 86.8% idle
    > Mem: 121M Active, 97M Inact, 75M Wired, 736K Cache, 60M Buf, 201M Free
    > Swap: 512M Total, 512M Free
    >
    >
    > I have tried:
    > o both SMP and UP kernels
    > o both SCHED_ULE and SCHED_4BSD options
    > o libpcap libs versions 0.7 and 0.8.3
    > o 5.2.1-RELEASE and -current kernels
    > o DEVICE_POLLING option
    > o sysctl debug.bpf_bufsize set to maximum of 524288
    >
    > and still having dropped packets.
    > I am having a much lower spec box, running obsd 3.2, same
    > snort configuration,
    > capturing the same traffic. obsd shows constant 0 dropped packets.
    >
    > How would I fix that problem?

    This might be old information, but on stable branch, libpcap
    overrode the 'debug.bpf_bufsize' and always made it 4K. I made
    a local change and it fixed it for me. Not sure if that is
    corrected on current.

    On the system you indicate you should be able to get ~300Kpps
    into user space via bpf, or at least, you can with stable.

    _______________________________________________
    freebsd-current@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-current
    To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

  • Next message: Klaus Robert Suetterlin: "correction: fatal trap 12 when booting without ACPI (was wrongly Re: Fatal Trap 12 that goes away with NO ACPI --- anyone interested?)"

    Relevant Pages

    • 5.2.1 + snort, dropping packets
      ... I am running snort on 5.2.1-RELEASE, ... and still having dropped packets. ... I am having a much lower spec box, running obsd 3.2, same snort configuration, ... To unsubscribe, ...
      (freebsd-current)
    • 5.2.1 + snort, dropping packets
      ... I am running snort on 5.2.1-RELEASE, ... processor, intel gigabit NICs, system load is low: ... and still having dropped packets. ... I am having a much lower spec box, running obsd 3.2, same snort configuration, ...
      (freebsd-hackers)