Snort mailing list archives

Snort dropping more packets than it received

From: Scott Finlon <scott.finlon () scranton edu>
Date: Wed, 12 Sep 2012 15:19:43 +0000

I just installed Snort to run on 8 instances via PF_RING DNA, and whenever I dump the stats via kill -usr1 or end the 
processes the numbers just don't add up.
Is this an issue with the way Snort is adding, or could it be something else?

Sep 12 09:27:45 xxxx snort[6727]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6727]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6727]:    Received:     45655984
Sep 12 09:27:45 xxxx snort[6727]:    Analyzed:     45655984 (100.000%)
Sep 12 09:27:45 xxxx snort[6727]:     Dropped:     46954650 ( 50.701%)
Sep 12 09:27:45 xxxx snort[6727]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6727]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6727]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6727]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6718]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6718]: Packet I/O Totals:
Sep 12 09:27:44 xxxx snort[6718]:    Received:     37025357
Sep 12 09:27:44 xxxx snort[6718]:    Analyzed:     37025357 (100.000%)
Sep 12 09:27:44 xxxx snort[6718]:     Dropped:     52133522 ( 58.473%)
Sep 12 09:27:44 xxxx snort[6718]:    Filtered:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6718]: Outstanding:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6718]:    Injected:            0
Sep 12 09:27:44 xxxx snort[6718]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6709]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6709]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6709]:    Received:     44085744
Sep 12 09:27:45 xxxx snort[6709]:    Analyzed:     44085744 (100.000%)
Sep 12 09:27:45 xxxx snort[6709]:     Dropped:     42766248 ( 49.240%)
Sep 12 09:27:45 xxxx snort[6709]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6709]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6709]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6709]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6700]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6700]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6700]:    Received:     37680008
Sep 12 09:27:45 xxxx snort[6700]:    Analyzed:     37680008 (100.000%)
Sep 12 09:27:45 xxxx snort[6700]:     Dropped:     61853368 ( 62.143%)
Sep 12 09:27:45 xxxx snort[6700]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6700]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6700]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6700]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6691]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6691]: Packet I/O Totals:
Sep 12 09:27:44 xxxx snort[6691]:    Received:     39290934
Sep 12 09:27:44 xxxx snort[6691]:    Analyzed:     39290934 (100.000%)
Sep 12 09:27:44 xxxx snort[6691]:     Dropped:     68707395 ( 63.619%)
Sep 12 09:27:44 xxxx snort[6691]:    Filtered:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6691]: Outstanding:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6691]:    Injected:            0
Sep 12 09:27:44 xxxx snort[6691]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6682]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6682]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6682]:    Received:     38398293
Sep 12 09:27:45 xxxx snort[6682]:    Analyzed:     38398293 (100.000%)
Sep 12 09:27:45 xxxx snort[6682]:     Dropped:     58069741 ( 60.196%)
Sep 12 09:27:45 xxxx snort[6682]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6682]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6682]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6682]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6673]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6673]: Packet I/O Totals:
Sep 12 09:27:44 xxxx snort[6673]:    Received:     34303570
Sep 12 09:27:44 xxxx snort[6673]:    Analyzed:     34303570 (100.000%)
Sep 12 09:27:44 xxxx snort[6673]:     Dropped:     57869774 ( 62.784%)
Sep 12 09:27:44 xxxx snort[6673]:    Filtered:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6673]: Outstanding:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6673]:    Injected:            0
Sep 12 09:27:44 xxxx snort[6673]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6664]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6664]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6664]:    Received:     40875927
Sep 12 09:27:45 xxxx snort[6664]:    Analyzed:     40875927 (100.000%)
Sep 12 09:27:45 xxxx snort[6664]:     Dropped:     56738978 ( 58.125%)
Sep 12 09:27:45 xxxx snort[6664]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6664]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6664]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6664]: ===============================================================================

Scott Finlon
-----------------------------------
Information Security Engineer
The University of Scranton
email : finlons2 () scranton edu
phone : 570-941-6168
-----------------------------------

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort dropping more packets than it received Scott Finlon (Sep 12)
- Re: Snort dropping more packets than it received Peter Bates (Sep 12)
  - Re: Snort dropping more packets than it received Scott Finlon (Sep 12)