argus and snort ?
Peter Van Epp
vanepp at sfu.ca
Mon Sep 11 12:38:25 EDT 2000
Hmmm, Neil's comment about moving back to Solaris from FreeBSD set off
alarm bells in my head that I should set up an IPX I have in my test room
with Solaris 2.6 and argus to compare against a test FreeBSD box. Looks like
that may be a good thing to do (along with tcpreplay to introduce known data
on the wire). Since I have seen FreeBSD lose packets (and both tcpdump and
argus report them as "lost by kernel") I have been assuming perhaps incorrectly
that as long as the loss count is 0 we are OK. Now if I just had any time ...
That said, I believe snort is doing full packet capture which will
(at least on my box) cause packet loss with tcpdump (and I assume snort
although I haven't gotten around to trying it). One of the things I have wanted
to do for a long time is compare packet capture between OpenBSD (which NFR
recommends as their OS of choice, with as I recall Solaris #2) against FreeBSD.
There are apparantly some changes for perfomance in the OpenBSD kernel packet
capture code (and I believe from old comments on the NFR list a change that
was thought to reduce performance) in FreeBSD. OpenBSD is however non trivial
to install ...
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
>
> Hi All,
> I have just noticed that one of my argus recorders seems to be
> missing packets, the irony is that the one loosing data is a 500MHz
> machine and the other is 166MHz.
>
> When I kill the argus suspect argus process it reports:
>
> 263828758 packets recv'd by filter
> 0 packets dropped by kernel
>
> I have recently started running snort on the same machine (a FreeBSD
> 4.1 box) and I am wondering if there is some interaction that means
> that argus is not getting some of the packets.
>
> Any ideas?
>
> Cheers, Russell.
>
>
More information about the argus
mailing list