Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort questions, statistics information and other

From: "Santi Benito" <benisoroa () gmail com>
Date: Tue, 4 Apr 2006 12:55:34 +0200
Hello snorters, my name is Santi and I am an spanish engineer who has
started working with snort now.
My final thesis project consist in:

I have to replay (with tcpreplay) real traffic that has been saved in a hard
disk.

I have to replay it at different speeds and in another workstation see how
is the performance of snort and how grows the number of packets that snort
drops.

I have started replaying one gigabyte file at speed of 10Mbit/sec
and one of my multiple questions is:

1.How is possible that if I have replayed only 1682136 packets appears at
snort statistics that it has received 3341818?It could be that also it
analyses outgoing packets of response to a SYN packet?
(its important to note that listening interface is dedicated), on eth1 it
only receives the traffic that I am replaying.

2.Second one: I dont understand the part of Final Flow Statistics.

What does this mean?

Final Flow Statistics
,----[ FLOWCACHE STATS ]----------
Memcap: 10485760 Overhead Bytes 16400 used(%1.238689)/blocks (129886/635)
Overhead blocks: 1 Could Hold: (58579)
IPV4 count: 634 frees: 0 low_time: 1144078536, high_time: 1144078555, diff:
0h:00:19s
    finds: 2352 reversed: 922(%39.200680)
    find_sucess: 1718 find_fail: 634 percent_success: (%73.044218)
new_flows: 634
Protocol: 1 (%1.785714) finds: 42  reversed: 2(%4.761905)
  find_sucess: 24 find_fail: 18 percent_success: (%57.142857) new_flows: 18
Protocol: 4 (%0.382653) finds: 9  reversed: 3(%33.333333)
  find_sucess: 8 find_fail: 1 percent_success: (%88.888889) new_flows: 1
Protocol: 6 (%85.586735) finds: 2013  reversed: 821(%40.784898)
  find_sucess: 1520 find_fail: 493 percent_success: (%75.509190) new_flows:
493
Protocol: 17 (%12.074830) finds: 284  reversed: 95(%33.450704)
  find_sucess: 163 find_fail: 121 percent_success: (%57.394366) new_flows:
121
Protocol: 47 (%0.170068) finds: 4  reversed: 1(%25.000000)
  find_sucess: 3 find_fail: 1 percent_success: (%75.000000) new_flows: 1

3.How can I change memcap?
4.Its normal that 100Mbit/sec speed Snort is dropping nearly 50% of packets?

Sorry about this questions, but are very important for me.I am new in this
world and I hope sincerely that you could help me
Thank you very much.
Santi
Previous By Date Next
Previous By Thread Next

Current thread: