Snort mailing list archives
[2]'kill snort-pid -USR1' returns unrealistic figures
From: Bruno Vuillemin <Bruno.Vuillemin () unifr ch>
Date: Thu, 21 Feb 2002 17:44:48 +0100
Hello everybody, After a first mail about the fact that "kill snort-pid -USR1" generated very unlikely statistics I got some advice about libpcap etc. Thanks. So : I upgraded the linux system (Red Hat 7.2) (applied all current patch rpms) to kernel 2.4.9-21 I removed the redhat libpcap rpm I installed libpcap 0.7.1 (from www.tcpdump.org) I upgraded snort to 1.8.3 The monitored ethernet card uses the driver eepro100 /etc/modules.conf contains among other lines alias eth0 eepro100 I didn't recompiled the new kernel after reading lipcap 0.7.1 README.linux and its remark about packet socket, because I got no complain from snort or the system. Since it is not a module I think it is already included in the kernel... And again the figures show something wrong... (16'2213 214.539% can't compare to the total 75'603). Hence there's a doubt in my mind, /proc/net/dev show no problem to get the packets... but what about snort ? Any comments ? Thanks. Bruno Vuillemin, computer service, University of Fribourg/Freiburg, Switzerland. Feb 21 16:34:17 snortBox snort: ============================================= ================================== Feb 21 16:34:17 snortBox snort: Snort analyzed 75603 out of 75610 packets, Feb 21 16:34:17 snortBox snort: dropping 7(0.009%) packets Feb 21 16:34:17 snortBox snort: Breakdown by protocol: Action Stats: Feb 21 16:34:17 snortBox snort: TCP: 162213 (214.539%) ALERTS: 48 Feb 21 16:34:17 snortBox snort: UDP: 649 (0.858%) LOGGED: 28 Feb 21 16:34:17 snortBox snort: ICMP: 139 (0.184%) PASSED: 0 Feb 21 16:34:17 snortBox snort: ARP: 603 (0.798%) Feb 21 16:34:17 snortBox snort: IPv6: 0 (0.000%) Feb 21 16:34:17 snortBox snort: IPX: 0 (0.000%) Feb 21 16:34:17 snortBox snort: OTHER: 1099 (1.454%) Feb 21 16:34:17 snortBox snort: DISCARD: 0 (0.000%) Feb 21 16:34:17 snortBox snort: =============================================== ================================ Feb 21 16:34:17 snortBox snort: Fragmentation Stats: Feb 21 16:34:17 snortBox snort: Fragmented IP Packets: 0 (0.000%) Feb 21 16:34:17 snortBox snort: Fragment Trackers: 0 Feb 21 16:34:17 snortBox snort: Rebuilt IP Packets: 0 Feb 21 16:34:17 snortBox snort: Frag elements used: 0 Feb 21 16:34:17 snortBox snort: Discarded(incomplete): 0 Feb 21 16:34:17 snortBox snort: Discarded(timeout): 0 Feb 21 16:34:17 snortBox snort: Frag2 memory faults: 0 Feb 21 16:34:17 snortBox snort: =============================================== ================================ Feb 21 16:34:17 snortBox snort: TCP Stream Reassembly Stats: Feb 21 16:34:17 snortBox snort: TCP Packets Used: 162212 (214.538%) Feb 21 16:34:17 snortBox snort: Stream Trackers: 4398 Feb 21 16:34:17 snortBox snort: Stream flushes: 351 Feb 21 16:34:17 snortBox snort: Segments used: 924 Feb 21 16:34:17 snortBox snort: Stream4 Memory Faults: 0 Feb 21 16:34:17 snortBox snort: =============================================== ================================ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [2]'kill snort-pid -USR1' returns unrealistic figures Bruno Vuillemin (Feb 21)