Snort mailing list archives
Discarded packets and other stats...
From: John Sage <jsage () finchhaven com>
Date: Mon, 18 Jun 2001 15:37:09 -0700
OK: snort seems to be ticking along quite happily, doing pretty much what I ask of it, and all is well.
Fine.I'm curious about the stats that are printed when snort exits. For one example:
====================================================
TCP: 30291 (95.013%) ALERTS: 12
UDP: 848 (2.660%) LOGGED: 14867
ICMP: 742 (2.327%) PASSED: 0
So, in this particular session, snort accounted for 31,881 tcp, udp and
icmp packets, but there's only 14,879 seen by Alerts, Logged, or Passed.
What/where are the others?
ARP: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
And, what's this all about:
DISCARD: 7350 (23.054%)
What gets discarded, typically, and why?
And isn't 23% a lot?
=====================================================
Fragmentation Stats:
Fragmented IP Packets: 229 (0.718%)
Rebuilt IP Packets: 0
Frag elements used: 0
Discarded(incomplete): 0
Discarded(timeout): 0
=====================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 27710 (86.917%)
Reconstructed Packets: 7579 (23.773%)
Streams Reconstructed: 878
=====================================================
The rest of this I think I'm kinda OK with, unless anyone sees something
out of line, or if someone wants to toss in any thoughts...
TIA.. - John -- John Sage FinchHaven, Vashon Island, WA, USA http://www.finchhaven.com/ mailto:jsage () finchhaven com "The web is so, like, five minutes ago..." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Discarded packets and other stats... John Sage (Jun 18)