Linux packet drops
Sonali Gupta
sonali25 at gmail.com
Tue Jun 21 06:22:40 UTC 2005
Hi,
We are using Snort on Linux in the binary packet capture mode (capture
and log in tcpdump format). We find packet drops even at 5 Mbps
bandwidth which we feel is very low for the hardware we are using. We
would be grateful if you can provide any suggestions on the issue.
Hardware used:
HP Proliant DL 140 G2. Dual processor, processor speed 2.8 GHz with
512MB RAM and 72 GB SATA HDD, Gigabit network card.
Operating system: Red Hat Enterprise Linux ES Version 3.
Snort version: Snort 2.3.0
The OS is a default installation. We are not running any software
other than snort on the system.
Observations:
We find that the drop is related to HDD writes.
If there are no hard disk writes, then there is no drop even at 80
Mbps. We tested this by using a rule in snort which rarely matches, so
that snort hardly logs any packets.
We also found that the drop increases when the I/O is high,
irrespective of whether it is being done by the same process (snort)
or a totally unrelated one. We created a high I/O scenario by doing
copy of a huge file (3GB) periodically while snort is running. Even
this triggered packet drops.
So, to summarize, we see packet drops in sniffing whenever there is
disk I/O happening.
We do not suspect the HDD of the machine, as we were able to simulate
the problem in two other totally different systems also.
Regards,
Sonali
More information about the redhat-list
mailing list