AW: 'kill snort-pid -USR1' returns unrealistic figu res

["Poppi, Sandro" <Sandro.Poppi () wacker com>]

Bruno,

I'm just guessing: If you're using RedHat linux there a "strange libpcap"
behaviour has been mentioned on the list. Maybe this is your prob.

As I said, I'm just guessing.

Sandro
> Statistics generated by "kill snort-pid -USR1"  look strange :
>
> 1/ snort is launched
>
> 2/ a few second later I did a "kill snort-pid -USR1"
>
> (...)
> Feb 11 17:02:47 snortBox snort: Snort analyzed 10346 out of 
> 10923 packets, 
> Feb 11 17:02:47 snortBox snort: dropping 577(5.282%) packets  
> (...)
>
> Nothing special to say. 
>
> 3/ about one minute later, I did it  again 
>
> (...)
> Feb 11 17:03:48 snortBox snort: Snort analyzed -119209984 out 
> of 16777216 packets, 
> Feb 11 17:03:48 snortBox snort: dropping 135987200(810.547%) packets  
> (...)
>
> These figures are impressive but don't seem very reliable.
>
> In annex an even worst case.
>
> Is this a known problem ? Any comments ?
>
> Context :
>
> Before posting this, I wasn't able to find any relevant 
> information with the usual web/news search tools.
>
> Nothing special about snort binaries: I read the docs, 
> compiled it as recommended (unless 
> I missed something). snort 1.8.2.
> SnortSnarf is able to use the collected data.
>
> Hardware : a Compaq Deskpro DP2000 with two ethernet cards.
>
> # 'cat /proc/net/dev' looks very acceptable (after I added 
> some spaces to improve layout)
>
> Inter-|   Receive                                             
>         |  Transmit
>  face |     bytes    packets errs drop fifo frame compressed 
> multicast|    bytes packets errs drop fifo   colls carrier compressed
>     lo:     13350       179    0    0    0     0          0   
>       0      13350     179    0    0    0       0       0          0
>   eth0: 941121015 266280107    2    0    0     3          0   
>       0        168       4    0    0    0       0       0          0
>   eth1:1467837932   6539927    0    0    0     0          0   
>       0 4117790301 7032899    0    0    0 1139037       0          0
>
>
> ------------
>
> Regards.
>
> Bruno Vuillemin, university of Fribourg/Freiburg 
> (Switzerland), computer service
>
> --------------------------------------------------------
>
>
> Annex :
>
> This was output about one hour after snort was launched.
> Figures again are surprising.
>
>
>
>
> Feb 12 16:00:25 snortBox snort:   
> ==============================================================
> ================= 
> Feb 12 16:00:25 snortBox snort: Snort analyzed 0 out of 0 packets, 
> Feb 12 16:00:25 snortBox snort: . 
> Feb 12 16:00:25 snortBox snort: Breakdown by protocol:        
>         Action Stats: 
> Feb 12 16:00:25 snortBox snort:     TCP: 307907     (inf%)    
>      ALERTS: 89         
> Feb 12 16:00:25 snortBox snort:     UDP: 3391       (inf%)    
>      LOGGED: 30         
> Feb 12 16:00:25 snortBox snort:    ICMP: 308        (inf%)    
>      PASSED: 0          
> Feb 12 16:00:25 snortBox snort:     ARP: 1826       (inf%) 
> Feb 12 16:00:25 snortBox snort:    IPv6: 0          (0.000%) 
> Feb 12 16:00:25 snortBox snort:     IPX: 4          (inf%) 
> Feb 12 16:00:25 snortBox snort:   OTHER: 3058       (inf%) 
> Feb 12 16:00:25 snortBox snort: DISCARD: 0          (0.000%) 
> Feb 12 16:00:25 snortBox snort: 
> ==============================================================
> ================= 
> Feb 12 16:00:25 snortBox snort: Fragmentation Stats: 
> Feb 12 16:00:25 snortBox snort: Fragmented IP Packets: 0      
>     (0.000%) 
> Feb 12 16:00:25 snortBox snort:     Fragment Trackers: 0          
> Feb 12 16:00:25 snortBox snort:    Rebuilt IP Packets: 0          
> Feb 12 16:00:25 snortBox snort:    Frag elements used: 0          
> Feb 12 16:00:25 snortBox snort: Discarded(incomplete): 0          
> Feb 12 16:00:25 snortBox snort:    Discarded(timeout): 0          
> Feb 12 16:00:25 snortBox snort:   Frag2 memory faults: 0          
> Feb 12 16:00:25 snortBox snort: 
> ==============================================================
> ================= 
> Feb 12 16:00:25 snortBox snort: TCP Stream Reassembly Stats: 
> Feb 12 16:00:25 snortBox snort:         TCP Packets Used: 
> 307891     (inf%) 
> Feb 12 16:00:25 snortBox snort:          Stream Trackers: 8767       
> Feb 12 16:00:25 snortBox snort:           Stream flushes: 1018       
> Feb 12 16:00:25 snortBox snort:            Segments used: 2663       
> Feb 12 16:00:25 snortBox snort:    Stream4 Memory Faults: 0          
> Feb 12 16:00:25 snortBox snort: 
> ==============================================================
> ================= 
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users