Re: Packet I/O Totals section

["Carter Waxman (cwaxman)" <cwaxman () cisco com>]

Hello Elof,

The stats are as follows:

Received -> Number of packets received by the hardware
Analyzed -> Number of packets received by the instance
Dropped -> Number of packets dropped by the hardware
Outstanding -> Number of packets that have been received by hardware but have not been filtered or received by the 
instance.

Hardware counters are incremented immediately as packets become available and are taken from the kernel, while instance 
counters are incremented immediately after DAQ receives a verdict from Snort.

So to answer your questions:
1: All of these stats are reported by / calculated with values from the DAQ.
2: Yes, this is the number of packets for which Snort has delivered a verdict.
3: This is the number of drops as reported by the kernel. This does not include Snort drops as dropping involves 
consuming the packet without forwarding it.
4:  This should be Received - Filtered - Analyzed. From your example, this appears to be correct.

Hope this is what you were looking for.

-Carter
________________________________________
From: elof () sentor se [elof () sentor se]
Sent: Wednesday, July 16, 2014 11:41 AM
To: snort-devel mailinglist
Subject: [Snort-devel] Packet I/O Totals section

When stopping snort, or dumping stats, you get this section:

===============================================================================
Packet I/O Totals:
    Received:   wwwwwww
    Analyzed:   xxxxxxx ( 99.811%)
     Dropped:   yyyyyyy (  0.730%)
    Filtered:         0 (  0.000%)
Outstanding:   zzzzzzz (  0.189%)
    Injected:         0
===============================================================================

Filtered is not supported by the pcap DAQ, so 0.
Injected is 0 since I'm not running in inline mode.

No questions about these two. But...


1) Exactly where is the Received value coming from?
Is it an internal counter of *actually received packets* within snort, or
is this value supplied by the daq-system, bpf-system or simillar?

2) I guess analyzed is the amount of packets from the received ones that
actually made it all the way through snort processing. Correct? ...or is
this aquired elsewhere?

3) Dropped seem to be the reported drop count from the bpf-system. This
should mean that Dropped = "Capture drops (drops outside of snort)".
Correct?

4) Outstanding seem to simply be Received minus Analyzed. Correct?



I get very confusing numbers, that's why I'm asking.
When I have descriptions of what the values should be, I can create a
future bug report, if needed.


So, for the four titles above, can I have a short description of what they
truly are and where the values come from?

/Elof

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!