Snort mailing list archives

Re: An OK percentage of Dropped Packets?

From: "Bill Parker" <dogbert () netnevada net>
Date: Mon, 27 Dec 2004 18:42:26 -0800


----- Original Message ----- 
From: <snort () airedalez net>
To: <    >
Sent: Monday, December 27, 2004 9:08 AM
Subject: [Snort-users] An OK percentage of Dropped Packets?

Hello,

I am just trying to figure out what an OK number of dropped packets are.

I am just sniffing right now and this the command I used: snort -v

Stats:

Snort received 3483036
Analyzed: 3461357 (99.378%)
Dropped: 21679 (0.622%)

So is this a pretty normal amount for it to drop? Do people go for awhile
with out dropping any packets?


Well, here are some stats from a production box running snort (Pent III-500,
8GB SCSI,
Adaptec 294x controller, 3 10/100 Intel NIC's, 2 of which have no ip address
and are in
PROMISC. mode):

Dec 27 13:52:57 nermal snort: Snort ran for 1 Days 23 Hours 44 Minutes 46
Seconds
Dec 27 13:52:57 nermal snort: Packet analysis time averages:
Dec 27 13:52:57 nermal snort: Snort Analyzed 85964155 Packets Per Day
Dec 27 13:52:57 nermal snort: Snort Analyzed 1829024 Packets Per Hour
Dec 27 13:52:57 nermal snort: Snort Analyzed 30015 Packets Per Minute
Dec 27 13:52:57 nermal snort: Snort Analyzed 500 Packets Per Second
Dec 27 13:52:57 nermal snort:
Dec 27 13:52:57 nermal snort: Snort received 85964155 packets
Dec 27 13:52:57 nermal snort:     Analyzed: 85964155(100.000%)
Dec 27 13:52:57 nermal snort:     Dropped: 0(0.000%)
Dec 27 13:52:57 nermal snort: ====================================
Dec 27 13:52:57 nermal snort: Breakdown by protocol:
Dec 27 13:52:57 nermal snort:     TCP: 85248429   (99.167%)
Dec 27 13:52:57 nermal snort:     UDP: 588141     (0.684%)
Dec 27 13:52:57 nermal snort:    ICMP: 30351      (0.035%)
Dec 27 13:52:57 nermal snort:     ARP: 12         (0.000%)
Dec 27 13:52:57 nermal snort:   EAPOL: 0          (0.000%)
Dec 27 13:52:57 nermal snort:    IPv6: 0          (0.000%)
Dec 27 13:52:57 nermal snort:     IPX: 0          (0.000%)
Dec 27 13:52:57 nermal snort:   OTHER: 97056      (0.113%)
Dec 27 13:52:57 nermal snort: DISCARD: 0          (0.000%)
Dec 27 13:52:57 nermal snort: ===============================
Dec 27 13:52:57 nermal snort: Action Stats:
Dec 27 13:52:57 nermal snort: ALERTS: 85
Dec 27 13:52:57 nermal snort: LOGGED: 85
Dec 27 13:52:57 nermal snort: PASSED: 0
Dec 27 13:52:57 nermal snort: ===============================
Dec 27 13:52:57 nermal snort: Fragmentation Stats:
Dec 27 13:52:57 nermal snort: Fragmented IP Packets: 252        (0.000%)
Dec 27 13:52:57 nermal snort:     Fragment Trackers: 86
Dec 27 13:52:57 nermal snort:    Rebuilt IP Packets: 86
Dec 27 13:52:57 nermal snort:    Frag elements used: 252
Dec 27 13:52:57 nermal snort: Discarded(incomplete): 0
Dec 27 13:52:57 nermal snort:    Discarded(timeout): 83
Dec 27 13:52:57 nermal snort:   Frag2 memory faults: 0
Dec 27 13:52:57 nermal snort: ===============================
Dec 27 13:52:57 nermal snort: TCP Stream Reassembly Stats:
Dec 27 13:52:57 nermal snort:     TCP Packets Used: 85247734   (99.167%)
Dec 27 13:52:57 nermal snort:     Stream Trackers: 2019513
Dec 27 13:52:57 nermal snort:     Stream flushes: 0
Dec 27 13:52:57 nermal snort:     Segments used: 0
Dec 27 13:52:57 nermal snort:     Stream4 Memory Faults: 90453
Dec 27 13:52:57 nermal snort: ===============================
Dec 27 13:52:57 nermal snort: Final Flow Statistics
Dec 27 13:52:58 nermal snort: Snort exiting

I'm also connected to a cisco 3550 on a port which is mirroring the traffic
which
makes it past the router and the firewall.  As with anything else, your
mileage will
vary, but the amount of packet loss should be quite minimal (since i've been
using Snort, i've NOT seen a dropped packet personally).

Here is what I use to run snort with, btw:

/usr/local/bin/snort -c /usr/local/etc/snort.conf -i eth1 -g nobody -D -b

Hope this helps...

Bill



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

An OK percentage of Dropped Packets? snort (Dec 27)
- Re: An OK percentage of Dropped Packets? Matt Kettler (Dec 27)
  - Re: An OK percentage of Dropped Packets? Wes Young (Dec 27)
    - Re: An OK percentage of Dropped Packets? snort (Dec 27)
    - Re: An OK percentage of Dropped Packets? sekure (Dec 27)
- Re: An OK percentage of Dropped Packets? Bill Parker (Dec 27)