Linux packet drops

[Senthil Prabu.S]

 Upgrade to 2.3.3, it have vital fixes to portscanners and so much enhanced.
Even this can help U sometimes :-).
  
I guess the problem may be with libpcap. what version of libpcap are you using. 
Please use libpcap-0.8.3. Becasue, this can bealso main casue for packets loss.

Any older libpcap versions have problems on linux and also results in packet loss.

--
Senthil Prabu.S
    
    We are using Snort on Linux in the binary packet capture mode (capture
    and log in tcpdump format). We find packet drops even at 5 Mbps
    bandwidth which we feel is very low for the hardware we are using. We
    would be grateful if you can provide any suggestions on the issue.
    
    Hardware used:
    HP Proliant DL 140 G2. Dual processor, processor speed 2.8 GHz with
    512MB RAM and 72 GB SATA HDD, Gigabit network card.
    
    Operating system: Red Hat Enterprise Linux ES Version 3.
    
    Snort version: Snort 2.3.0
    
    The OS is a default installation. We are not running any software
    other than snort on the system.
    
    Observations:
    We find that the drop is related to HDD writes.
    
    If there are no hard disk writes, then there is no drop even at 80
    Mbps. We tested this by using a rule in snort which rarely matches, so
    that snort hardly logs any packets.
    
    We also found that the drop increases when the I/O is high,
    irrespective of whether it is being done by the same process (snort)
    or a totally unrelated one. We created a high I/O scenario by doing
    copy of a huge file (3GB) periodically while snort is running. Even
    this triggered packet drops.
    
    So, to summarize, we see packet drops in sniffing whenever there is
    disk I/O happening.
    We do not suspect the HDD of the machine, as we were able to simulate
    the problem in two other totally different systems also.