Snort mailing list archives

Re: Snort Stats (% Packet Loss)

From: Jaime Nebrera <jnebrera () redborder org>
Date: Sat, 3 May 2014 12:33:45 +0200

Hi Kevin,

As part of the Redborder.org project we have developed several tools that
might help you to solve your problem

We will place them in our GitHub repository along the next days (
www.GitHub.com/redBorder)

The first one is just a SNMP exporter of Snort performance data. This is
very interesting to monitor your Snort deployment with tools like Nagios or
Zabbix

The second one extends the first one by sending the same information as
JSON within a Kafka message

We employ the second, as upcoming redBorder 3 release expects all messages
as Kafka, but we are aware of clients using the first system to plug into a
more standardized SNMP framework

Would this help you?
El 02/05/2014 21:12, "Kurzawa, Kevin" <kkurzawa () co pinellas fl us> escribió:

I recently set up ThePigDoktah for reading the perfmonitor stats output.
The % Packet Loss it is giving is confusing me though.



I set the perfmonitor to poll every 60 seconds.



Tcpdump will read 100,000 packets and not drop a single one from the
interface. Even while snort is running.



I also see that the 2nd field in the stats output is the
“pkt_drop_percent.” And my numbers hang around 3-5. Not >100.



Can anyone help me understand the % packet loss? Obviously I’m not
dropping 100% of my packets, I’m getting alerts and whatnot. I figure I
just don’t understand it.



*STATS FILE*

#time,pkt_drop_percent …


1399057133,3.444,122.361,0.050,23.119,661,319.020,256.385,256.768,253.151,174.418,47222,47223,1925.093,0,8059,0.083,0.083,0.100,0.083,0.000,0.083,1,2,0,0,1,80.034,5.322,14.644,122.361,0.002,0.002,45.504,168.489,661,1120,2415,2954,842,23.119,0.000,0.000,1.925,25.008,1387151,49474,0,106.534,124.234,21022,22424,47223,3968,16638,27592,0.000,169.384,134.317,0.000,0.000,0,0,0.000,0,0.000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54898083,1.150



*THE PIG DOKTAH REPORT*

Report Info:

        Processed: stats

        First Entry: Fri May  2 14:46:53 2014

        Last Entry: Fri May  2 14:58:53 2014

        Time Span: 0 days, 0 hours, 12 minutes and 0 seconds



Wirespeed:

        High: 138.603 Mbits/Sec | Fri May  2 14:55:53 2014

        Low: 99.941 Mbits/Sec | Fri May  2 14:46:53 2014

        Avg: 126.206 Mbits/Sec



*% Packet Loss:*

*        High: 124.234% | Fri May  2 14:58:53 2014*

*        Low: 0.000% | Fri May  2 14:48:53 2014*

*        Avg: 120.063%*



Additional Info:

        Avg Pkt Size: 659.974 bytes

        Avg Syns/Sec: 263.536

        Avg SynAcks/Sec: 263.990

        Avg Alerts/Sec: 0.061

        Avg Current Cached Sessions: 43037.147




------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
- Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
  - Re: Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
    - Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
    - Re: Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
    - Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
- Re: Snort Stats (% Packet Loss) Jaime Nebrera (May 03)