Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Determining packet loss

Hello all,

I have a question regarding packet loss of both the CSIDS sensor and of SPAN ports. I hope I can ask both of them here. My workplace employs a

CSIDS on our edge device, which is a 6500. We have fiber to the internal network and OC3 to the Internet. There are several VLANs on the 6500 switch, and we have a SPAN session sending the traffic from the external VLAN.


The SPAN port is connected, via fiber, to a 3500 switch (we use several IDS on this switch). The 3500 has 2 GigE ports and a bunch of 10/100 copper ports. The CSIDS is connected to one of these copper ports.


Is it likely that we are droping packets in this wacky SPAN setup, and if so, how would I document this? Is it likely that the CSIDS is getting more traffic than it can handle, and if so, how can I document this?

Thanks in advance, and sorry for being long winded!


Re: Determining packet loss

Cisco Employee

Re: Determining packet loss

It is always possible to overrun a span port.

Say for example you have a span port that is monitoring 10 other ports.

If each of these other 10 ports each receive a packet at the same time, then the span port will try to copy each of these 10 packets at the same time.

The problem is it can only copy out one packet at a time so it has to buffer the other 9 packets. If it's buffer is only large enough for 4 packets then the additional 5 packets will be dropped by the span port.

In a Cat6K, I think that show counters may show you an overrun counter which counts these packets that didn't make into the buffer for the port.

In the case of your 3500 switch you can wind up in a similar scenario. The Gig incoming port can send in 10 packets in the time it takes the 100Mbps port to send just 1 packet. So similar to the 10 port scenario above, if the Gig port brings in 10 packets in the time it takes the 100Mbps port to send one packet, then 9 packets have to be buffered on the 100Mbps port. If the buffer can't hold all 9 packets then some will be dropped.

The more times this happens the more packets that get dropped.

NOTE: This can be seen even when the Gig port is only bringing in 100Mbps. This is because the dropping is not based on a per second rate, it's the number of packets received in the time it takes for the span port to transmit 1 packet. So it is more of an instantaneous rate rather than a per second rate.

There may be a similar show counters command on your 3500 switch to show packet counts for packets being dropped at the span port because of this situation.

As for overloading the CIDS. The 3.1 versions of the sensor appliances have a new 993 alarm. It will fire when the sensor is seeing packets that it does not have enough cpu to analyze. (i.e. if the span port is forwarding the packets, but the sensor can't keep up).

By default the 993 alarm is disabled, so you will need to set it's severity to High to turn it on.

Part of the details in the alarms tells you what percentage of the traffic (seen by the sensor) it is not able to analyze.


CreatePlease to create content