Snort mailing list archives
Drop statistics and Cisco Catalyst 6500
From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Wed, 27 Mar 2002 16:56:34 -0600
I'm trying to understand the packet & drop statistics generated by Snort vs. the statistics generated by a Cisco Catalyst 6500. Sensor info: Compaq ML370 Rack-mount Pentium III at 933MHz 512MB RAM Redhat 7.2 with stock kernel 2.4.7-10 libpcap-0.7.1 compiled locally snort-1.8.3 compiled locally against libpcap-0.7.1 Admin interface: eth0: OEM i82557/i82558 10/100 Ethernet, xx:xx:xx:xx:xx:xx, IRQ 11. Unused interface: eth1: OEM i82557/i82558 10/100 Ethernet, xx:xx:xx:xx:xx:xx, IRQ 5. Snort interface: eth2: Mem:0xc6fe0000 IRQ:15 Speed:1000 Mbps Duplex:Full Intel(R) PRO/1000 Network Driver - version 3.1.22 All hardware is Compaq-supplied. Only output options are fast and binary. The Snort interface is connected via fiber to a port on the 6500 and the VLAN for one of our internal networks is spanned to this port. Of the VLAN ports, 11 are GigE and two are 100BaseT. This VLAN (call it 10.10.0.0/16) serves multiple floors in multiple buildings for about 2500 systems. Yesterday, I setup a cron job to grab statistics every hour on the Snort sensor: 0 * * * * killall -USR1 snort && sleep 10 && egrep "snort: Snort analyzed|snort: dropping" /var/log/messages | tail -2 | mail -s "Snort stats for $HOSTNAME on `date`" me@my.domain Which returns output like: Mar 27 16:00:00 hostname snort: Snort analyzed 58659786 out of 102822893 packets, Mar 27 16:00:00 hostname snort: dropping 44163107(42.951%) packets Then at a specific hour (16:00 CST yesterday) I asked our network admin to reset the statistics on the Snort port of the 6500. Today at 09:00 I asked him to "show counters" on that port to get the transmitted packet counts (txHCTotalPkts). In theory, the total packets seen by the 6500 for that port should match the total packets seen by the Snort sensor. Here are the numbers: Snort sensor: Total packets analyzed: 1,347,042,936 Total packets: 2,452,608,498 Dropped packets: 1,105,565,562 Drop percentage: 45.08% Catalyst 6500: Total packets (txHCTotalPkts): 1,347,813,989 Discards (ifOutDiscards): 8,182,354 So the average packets per second according to Snort is 40075, while according to the Cisco it is 22023. Why does my Snort sensor seem to be seeing approximately twice as many packets as the Cisco? I can provide more of the Cisco stats if they are relevant. Thanks, Owen Crow Systems Programmer (Unix) BMC Software, Inc. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)
- Re: Drop statistics and Cisco Catalyst 6500 Rich Adamson (Mar 27)
- <Possible follow-ups>
- RE: Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Rich Adamson (Mar 27)
- Re: Drop statistics and Cisco Catalyst 6500 Dr. Richard W. Tibbs (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Madziarczyk, Jonathan (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)