Snort mailing list archives
'kill snort-pid -USR1' returns unrealistic figures
From: Bruno Vuillemin <Bruno.Vuillemin () unifr ch>
Date: Wed, 13 Feb 2002 14:50:30 +0100
Statistics generated by "kill snort-pid -USR1" look strange :
1/ snort is launched
2/ a few second later I did a "kill snort-pid -USR1"
(...)
Feb 11 17:02:47 snortBox snort: Snort analyzed 10346 out of 10923 packets,
Feb 11 17:02:47 snortBox snort: dropping 577(5.282%) packets
(...)
Nothing special to say.
3/ about one minute later, I did it again
(...)
Feb 11 17:03:48 snortBox snort: Snort analyzed -119209984 out of 16777216 packets,
Feb 11 17:03:48 snortBox snort: dropping 135987200(810.547%) packets
(...)
These figures are impressive but don't seem very reliable.
In annex an even worst case.
Is this a known problem ? Any comments ?
Context :
Before posting this, I wasn't able to find any relevant information with the usual web/news search tools.
Nothing special about snort binaries: I read the docs, compiled it as recommended (unless
I missed something). snort 1.8.2.
SnortSnarf is able to use the collected data.
Hardware : a Compaq Deskpro DP2000 with two ethernet cards.
# 'cat /proc/net/dev' looks very acceptable (after I added some spaces to improve layout)
Inter-| Receive | Transmit
face | bytes packets errs drop fifo frame compressed multicast| bytes packets errs drop fifo colls carrier
compressed
lo: 13350 179 0 0 0 0 0 0 13350 179 0 0 0 0 0
0
eth0: 941121015 266280107 2 0 0 3 0 0 168 4 0 0 0 0 0
0
eth1:1467837932 6539927 0 0 0 0 0 0 4117790301 7032899 0 0 0 1139037 0
0
------------
Regards.
Bruno Vuillemin, university of Fribourg/Freiburg (Switzerland), computer service
--------------------------------------------------------
Annex :
This was output about one hour after snort was launched.
Figures again are surprising.
Feb 12 16:00:25 snortBox snort: ===============================================================================
Feb 12 16:00:25 snortBox snort: Snort analyzed 0 out of 0 packets,
Feb 12 16:00:25 snortBox snort: .
Feb 12 16:00:25 snortBox snort: Breakdown by protocol: Action Stats:
Feb 12 16:00:25 snortBox snort: TCP: 307907 (inf%) ALERTS: 89
Feb 12 16:00:25 snortBox snort: UDP: 3391 (inf%) LOGGED: 30
Feb 12 16:00:25 snortBox snort: ICMP: 308 (inf%) PASSED: 0
Feb 12 16:00:25 snortBox snort: ARP: 1826 (inf%)
Feb 12 16:00:25 snortBox snort: IPv6: 0 (0.000%)
Feb 12 16:00:25 snortBox snort: IPX: 4 (inf%)
Feb 12 16:00:25 snortBox snort: OTHER: 3058 (inf%)
Feb 12 16:00:25 snortBox snort: DISCARD: 0 (0.000%)
Feb 12 16:00:25 snortBox snort: ===============================================================================
Feb 12 16:00:25 snortBox snort: Fragmentation Stats:
Feb 12 16:00:25 snortBox snort: Fragmented IP Packets: 0 (0.000%)
Feb 12 16:00:25 snortBox snort: Fragment Trackers: 0
Feb 12 16:00:25 snortBox snort: Rebuilt IP Packets: 0
Feb 12 16:00:25 snortBox snort: Frag elements used: 0
Feb 12 16:00:25 snortBox snort: Discarded(incomplete): 0
Feb 12 16:00:25 snortBox snort: Discarded(timeout): 0
Feb 12 16:00:25 snortBox snort: Frag2 memory faults: 0
Feb 12 16:00:25 snortBox snort: ===============================================================================
Feb 12 16:00:25 snortBox snort: TCP Stream Reassembly Stats:
Feb 12 16:00:25 snortBox snort: TCP Packets Used: 307891 (inf%)
Feb 12 16:00:25 snortBox snort: Stream Trackers: 8767
Feb 12 16:00:25 snortBox snort: Stream flushes: 1018
Feb 12 16:00:25 snortBox snort: Segments used: 2663
Feb 12 16:00:25 snortBox snort: Stream4 Memory Faults: 0
Feb 12 16:00:25 snortBox snort: ===============================================================================
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 'kill snort-pid -USR1' returns unrealistic figures Bruno Vuillemin (Feb 13)
- Re: 'kill snort-pid -USR1' returns unrealistic figures Chris Green (Feb 13)