Snort mailing list archives

Snort Stats (% Packet Loss)

From: "Kurzawa, Kevin" <kkurzawa () co pinellas fl us>
Date: Fri, 2 May 2014 15:05:28 -0400

I recently set up ThePigDoktah for reading the perfmonitor stats output. The % Packet Loss it is giving is confusing me 
though.

I set the perfmonitor to poll every 60 seconds.

Tcpdump will read 100,000 packets and not drop a single one from the interface. Even while snort is running.

I also see that the 2nd field in the stats output is the "pkt_drop_percent." And my numbers hang around 3-5. Not >100.

Can anyone help me understand the % packet loss? Obviously I'm not dropping 100% of my packets, I'm getting alerts and 
whatnot. I figure I just don't understand it.

STATS FILE
#time,pkt_drop_percent ...
1399057133,3.444,122.361,0.050,23.119,661,319.020,256.385,256.768,253.151,174.418,47222,47223,1925.093,0,8059,0.083,0.083,0.100,0.083,0.000,0.083,1,2,0,0,1,80.034,5.322,14.644,122.361,0.002,0.002,45.504,168.489,661,1120,2415,2954,842,23.119,0.000,0.000,1.925,25.008,1387151,49474,0,106.534,124.234,21022,22424,47223,3968,16638,27592,0.000,169.384,134.317,0.000,0.000,0,0,0.000,0,0.000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54898083,1.150

THE PIG DOKTAH REPORT
Report Info:
        Processed: stats
        First Entry: Fri May  2 14:46:53 2014
        Last Entry: Fri May  2 14:58:53 2014
        Time Span: 0 days, 0 hours, 12 minutes and 0 seconds

Wirespeed:
        High: 138.603 Mbits/Sec | Fri May  2 14:55:53 2014
        Low: 99.941 Mbits/Sec | Fri May  2 14:46:53 2014
        Avg: 126.206 Mbits/Sec

% Packet Loss:
        High: 124.234% | Fri May  2 14:58:53 2014
        Low: 0.000% | Fri May  2 14:48:53 2014
        Avg: 120.063%

Additional Info:
        Avg Pkt Size: 659.974 bytes
        Avg Syns/Sec: 263.536
        Avg SynAcks/Sec: 263.990
        Avg Alerts/Sec: 0.061
        Avg Current Cached Sessions: 43037.147

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
- Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
  - Re: Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
    - Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
    - Re: Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
    - Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
- Re: Snort Stats (% Packet Loss) Jaime Nebrera (May 03)