On 21/06/05 20:02 -0700, chirag radhakrishnan wrote:
On 21/06/05 11:35 +0530, Sonali Gupta wrote: Hi,
We are using Snort on Linux in the binary packet capture mode (capture and log in tcpdump format). We find packet drops even at 5 Mbps bandwidth which we feel is very low for the hardware we are using. We would be grateful if you can provide any suggestions on the issue.
Hardware used: HP Proliant DL 140 G2. Dual processor, processor speed 2.8 GHz with 512MB RAM and 72 GB SATA HDD, Gigabit network card.
The test setup also makes a lot of difference. Can you elaborate on the test setup?It might just happen that the source of packets might be creating a bottleneck!. In other words either/or both sender/reciever of packets might be creating a bottleneck.
Quoting Sonali's original mail again:
If there are no hard disk writes, then there is no drop even at 80 Mbps. We tested this by using a rule in snort which rarely matches, so that snort hardly logs any packets.
The problem is with the SATA drivers, or the disk itself. I am sorely tempted to blame SATA for something that needs tons of writes. SCSI RAID with battery backed cache is the way to go.
If you want to size disk intensive operations, see the server sizing at http://www.tpc-int.org/ (IIRC), the database benchmark site.
Devdas Bhagat