Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Bug Report : Perfmonitor counter wraping : pkts_drop, pkts_recv and derived stats

From: Gulfie <gulfie () grotto-group com>
Date: Thu, 10 Nov 2005 17:42:30 -0800
        Problem : Pefmonitor is giving numbers that look like int_32 wraping.

                pkt_stats.pkts_drop pkt_stats.pkts_recv

                seem to be exibiting problems where  the kpackets_*_persec  and  *_mbits_persec are not.


        Snort :  snort-CVS-CUR  (Build 29)      
                The problem seems to be throughout the 2.4 line. 

        
        Setup : Passive using the standard pcap library. 
                The problem is being exibited even at low packetrates, i.e. 1000 pkts /sec @ .5 Mbit /sec 
                Though the problem gets much worse when the load goes up. (as the log below shows)
                

        The host : 
                i386 , 1 x Celeron 2 Ghz
                       512 MB Ram
                Fedora Core 3  
                        updateing libpcap caused no change in behavior. 
                2 x Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet (rev 10)
                



LOG: 

I.E. 

<snort.stats>  ( the last two numbers in the rows seem wrong )

1131658300,106.838,1.0,0.0,1.1,136,25.06,21.5,21.7,128.7,446.3,5419,8191,188.2,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,3.5,83.4,13.1,1.01,0.00,0.00,0.24,1.25,131,0,0,163,136,0.97,0.00,0.00,0.18,1.15,16307,17422
1131658309,70.614,1.0,0.0,1.1,120,14.35,36.7,36.0,191.8,240.7,4986,8191,54.7,0,1,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,3.4,83.4,13.2,1.04,0.00,0.00,0.06,1.09,119,0,0,172,120,1.09,0.00,0.00,0.04,1.13,4577,3232
1131658315,100.000,1.8,0.0,1.7,129,7.98,50.6,45.1,228.1,2.6,6301,8191,8.6,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,4.5,88.9,6.6,1.77,0.00,0.00,0.01,1.78,129,0,0,199,129,1.71,0.00,0.00,0.01,1.71,4294907465,4294907258
1131658325,100.000,1.0,0.0,0.9,138,6.15,15.6,15.2,95.6,0.3,7306,8191,1.7,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,1.7,88.9,9.4,1.05,0.00,0.00,0.00,1.05,138,0,0,198,138,0.95,0.00,0.00,0.00,0.95,4294919317,4294919295
1131658349,101.221,0.4,0.0,0.4,145,17.89,4.2,4.2,41.3,283.6,1591,8191,58.6,0,1,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,1.0,84.8,14.2,0.43,0.00,0.00,0.06,0.49,143,0,0,165,145,0.38,0.00,0.00,0.05,0.42,84791,85826
1131658910,99.233,0.0,0.0,0.0,135,10.76,0.4,0.4,2.3,5.1,36,8191,0.8,0,7,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,0.0,25.1,74.8,0.02,0.00,0.00,0.00,0.02,133,0,0,176,135,0.02,0.00,0.00,0.00,0.02,118382,117474
1131658927,100.000,0.4,0.0,0.6,90,9.32,28.2,26.3,48.3,9.9,702,8191,19.3,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,1.5,88.4,10.1,0.41,0.00,0.00,0.01,0.42,89,0,0,160,90,0.57,0.00,0.00,0.01,0.58,4294796760,4294796674
1131658932,10971330.835,10.9,0.0,15.6,88,11.23,1351.4,1080.2,1866.0,192.0,8190,8191,288.8,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,45.4,54.5,0.1,10.87,0.00,0.00,0.16,11.02,87,0,0,160,88,15.53,0.00,0.00,0.12,15.65,39147,4294946882
1131658937,118.875,9.7,0.0,14.5,90,16.77,1274.8,1020.2,1873.9,1874.6,8187,8191,862.1,0,1,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,45.0,54.9,0.2,9.66,0.00,0.00,0.88,10.53,87,0,0,159,90,13.84,0.00,0.00,0.69,14.53,14707,17483
1131658942,57.994,9.9,0.0,14.8,90,16.08,1269.4,980.4,1863.5,1863.1,8189,8191,849.8,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,44.6,55.0,0.3,9.90,0.00,0.00,0.80,10.70,87,0,0,158,90,14.17,0.00,0.00,0.63,14.80,23525,13643
1131658947,100.000,10.0,0.0,14.9,90,15.96,1264.9,1042.7,1857.5,1857.8,8188,8191,831.9,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,45.0,54.8,0.2,10.01,0.00,0.00,0.80,10.81,87,0,0,158,90,14.29,0.00,0.00,0.63,14.92,4294936806,4294946349
1131658952,101.276,9.7,0.0,14.5,90,16.23,1285.6,1012.5,1885.2,1885.4,8187,8191,825.2,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,44.7,55.1,0.2,9.74,0.00,0.00,0.81,10.55,87,0,0,159,90,13.91,0.00,0.00,0.64,14.55,8074,8177
1131658957,54.202,10.0,0.0,14.9,90,16.18,1282.8,1059.8,1864.2,1864.0,8188,8191,818.2,0,0,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,46.6,53.3,0.1,9.98,0.00,0.00,0.80,10.78,87,0,0,158,90,14.22,0.00,0.00,0.63,14.85,21097,11435
1131658979,0.000,0.7,0.0,0.9,96,7.94,29.9,25.6,56.1,56.0,8190,8191,30.2,0,1,0.0,0.0,0.0,0.0,0.0,0.0,0,0,0,0,1,1.9,69.3,28.8,0.67,0.00,0.00,0.03,0.70,94,0,0,158,96,0.89,0.00,0.00,0.02,0.91,4294910482,396
        
A drop % of 10971330.835 is kinda high. 

        
        Possible source of issue : 

        snort-CVS-CUR/src/preprocessors/perf-base.c

Line : 1273
        

       sfBaseStats->pkt_stats.pkts_recv = pcapStats.ps_recv +
                    (UINT32_MAX - sfBase->pkt_stats.pkts_recv);

        pcapStats.ps and UINT32_MAX are 32 bit values
        sfBaseStats and sfBase are both 64 bit values.

        I don't remember enough of my type propigation rules in C, nor understand the code enough to proceed at the 
moment.
I'm not currently blocked by the issue so I'll go on about my day, but I thought Ya'll should know what I have found.


                                                        -gulfie


p.s. Where should bugs be filed?  The list seems to have some, the sourceforge page has fewer, and there seems to be no 
bugzilla on snort.org. 







-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: