Snort mailing list archives
RE: Snort PerfMon preprocessor output
From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Fri, 22 Oct 2004 13:04:23 +0900
Changed the perfmonitor settings to include console output, so I could double check what each column was actually showing. Here is what got recorded by syslog: Oct 22 12:47:06 snort snort: Snort Realtime Performance : Fri Oct 22 12:47:06 2004 Oct 22 12:47:06 snort snort: -------------------------- Oct 22 12:47:06 snort snort: Pkts Recv: 1944 Oct 22 12:47:06 snort snort: Pkts Drop: 18446744073709551559 Oct 22 12:47:06 snort snort: % Dropped: 948906588153783552.00% Oct 22 12:47:06 snort snort: KPkts/Sec: 0.48 Oct 22 12:47:06 snort snort: Bytes/Pkt: 627 Oct 22 12:47:06 snort snort: Mbits/Sec: 2.40 (wire) Oct 22 12:47:06 snort snort: Mbits/Sec: 0.01 (rebuilt) Oct 22 12:47:06 snort snort: Mbits/Sec: 2.40 (total) Oct 22 12:47:06 snort snort: PatMatch: 87.47% Oct 22 12:47:06 snort snort: CPU Usage: 3.62% (user) 0.81% (sys) 95.58% (idle) Oct 22 12:47:06 snort snort: Alerts/Sec : 0.0 Oct 22 12:47:06 snort snort: Syns/Sec : 9.5 Oct 22 12:47:06 snort snort: Syn-Acks/Sec : 9.6 Oct 22 12:47:06 snort snort: New Sessions/Sec: 13.4 Oct 22 12:47:06 snort snort: Del Sessions/Sec: 12.9 Oct 22 12:47:06 snort snort: Total Sessions : 263 Oct 22 12:47:06 snort snort: Max Sessions : 517 Oct 22 12:47:06 snort snort: Stream Flushes/Sec : 17.4 Oct 22 12:47:06 snort snort: Stream Faults/Sec : 0 Oct 22 12:47:06 snort snort: Stream Timeouts : 2 Oct 22 12:47:06 snort snort: Frag Completes()s/Sec: 0.0 So, it looks like field 2 is the % dropped packets. The problem actually seems to be in the dropped packets counter. It claims I dropped more then a 100 Billion packets, when I only received 1944. Must be a bug in the performance counter. Anyone have any ideas? Barry -----Original Message----- From: Basselgia, Barry A Mr (NAF Atsugi) Sent: Thursday, October 21, 2004 5:00 PM To: 'snort-users () lists sourceforge net' Subject: Snort PerfMon preprocessor output I'm trying to figure out how to gage the performance on my snort sensor. I have the perfmonitor preprocessor configured with the below line in my snort.conf file. preprocessor perfmonitor: time 60 events flow file /var/log/snort/snort.stats pktcnt 50 I was using the perfmon-graph.pl file to generate charts from the file. But the charts don't seem to match observed performance. The first thing that appears to be strange is in % Packets Dropped data. If I'm not mistaken, it's the second field in the snort.stats file, the time stamp being the first field. It is regularly recording that the % Packets Dropped is greater then 100, is some instances much much greater then 100. I'll include sample data below. Is there any more info on the perfmonitor preprocessor, other then what's in the snort_manual.pdf file? Anybody have any idea why it claims I'm dropping Billions % packets. snort:/var/log/snort # more snort.stats 1098299821,0.000,0.1,0.0,0.0,469,83.59,0.5,0.5,0.5,0.4,11,15,0.7,0,2,0.0,0.0 ,0.0,0.0,0,0,0.1,0.0,99.9 1098299895,3.876,0.1,0.0,0.0,507,94.00,0.8,0.8,0.8,0.8,10,15,1.5,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.0,99.6 1098299959,4145335746901022720.000,0.2,0.0,0.0,527,90.05,0.9,0.9,0.9,0.9,13, 15,1.8,0,2,0.0,0.0,0.0,0.0,0,0,0.3,0.0,99.6 1098300022,32.718,0.2,0.0,0.1,280,73.48,0.7,0.7,0.7,0.8,9,16,1.1,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.1,99.6 1098300082,100.000,0.2,0.0,0.0,476,87.77,0.9,0.9,0.9,0.8,19,19,2.2,0,2,0.0,0 .0,0.0,0.0,0,0,0.2,0.1,99.7 1098300144,534533296833078848.000,0.6,0.0,0.1,638,88.10,2.8,2.8,2.9,2.9,15,2 1,5.6,0,2,0.0,0.0,0.0,0.0,0,0,0.7,0.2,99.2 1098300206,0.000,0.2,0.0,0.1,532,84.87,1.7,1.7,1.7,1.8,11,21,3.2,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.1,99.7 1098300270,0.000,0.2,0.0,0.0,660,108.07,1.2,1.2,1.2,1.1,15,21,2.4,0,2,0.0,0. 0,0.0,0.0,0,0,0.7,0.1,99.2 1098300342,15.919,0.3,0.0,0.1,366,87.41,1.3,1.3,1.3,1.4,10,25,2.5,0,3,0.0,0. 0,0.0,0.0,0,0,0.5,0.1,99.5 1098300416,100.000,0.3,0.0,0.1,590,87.64,0.9,0.9,0.9,0.9,8,25,1.7,0,2,0.0,0. 0,0.0,0.0,0,0,0.3,0.1,99.6 1098300483,100.000,0.2,0.0,0.0,515,85.02,0.7,0.7,0.7,0.7,13,25,1.2,0,2,0.0,0 .0,0.0,0.0,0,0,0.2,0.1,99.8 1098300551,0.000,0.3,0.0,0.1,477,83.42,2.5,2.5,2.6,2.5,15,25,4.6,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.1,99.6 1098300613,2.852,0.5,0.0,0.1,462,85.56,2.2,2.2,2.3,2.2,17,25,4.0,0,2,0.0,0.0 ,0.0,0.0,0,0,0.7,0.2,99.1 1098300675,100.000,0.4,0.0,0.1,549,86.72,0.8,0.8,0.8,1.0,9,25,1.6,0,2,0.0,0. 0,0.0,0.0,0,0,0.4,0.1,99.5 1098300741,0.000,0.3,0.0,0.1,550,85.84,1.7,1.7,1.7,1.6,14,25,2.6,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.1,99.6 1098300813,0.000,0.1,0.0,0.0,321,84.21,1.3,1.3,1.3,1.3,13,25,3.2,0,3,0.0,0.0 ,0.0,0.0,0,0,0.2,0.0,99.8 1098300880,0.000,0.2,0.0,0.1,476,89.38,1.9,1.9,1.9,1.9,13,25,4.5,0,2,0.0,0.0 ,0.0,0.0,0,0,0.4,0.1,99.5 1098300944,18.444,0.3,0.0,0.1,298,75.11,1.5,1.5,1.5,1.6,11,25,3.4,0,2,0.0,0. 0,0.0,0.0,0,0,0.3,0.1,99.6 1098301018,100.000,0.1,0.0,0.0,619,133.61,1.2,1.2,1.3,1.3,15,25,3.5,0,2,0.0, 0.0,0.0,0.0,0,0,1.4,0.0,98.6 1098301097,100.000,0.1,0.0,0.0,292,77.05,1.1,1.1,1.1,1.2,10,25,2.9,0,3,0.0,0 .0,0.0,0.0,0,0,0.1,0.0,99.8 1098301175,0.000,0.1,0.0,0.0,367,81.32,1.0,1.0,1.0,1.0,6,25,2.7,0,2,0.0,0.0, 0.0,0.0,0,0,0.1,0.0,99.9 1098301239,12.576,0.4,0.0,0.1,382,81.06,1.9,1.9,2.0,1.8,17,25,4.1,0,2,0.0,0. 0,0.0,0.0,0,0,0.6,0.1,99.3 1098301311,100.000,0.2,0.0,0.1,550,90.52,1.5,1.5,1.5,1.6,7,25,4.0,0,3,0.0,0. 0,0.0,0.0,0,0,0.4,0.1,99.5 1098301373,0.000,0.2,0.0,0.0,486,85.79,1.5,1.5,1.5,1.5,8,25,3.7,0,2,0.0,0.0, 0.0,0.0,0,0,0.3,0.0,99.7 1098301442,0.000,0.2,0.0,0.0,459,84.36,1.5,1.5,1.5,1.5,12,25,3.5,0,2,0.0,0.0 ,0.0,0.0,0,0,0.2,0.0,99.8 1098301502,0.000,0.4,0.0,0.1,491,86.14,2.0,2.0,2.1,2.1,12,25,4.7,0,2,0.0,0.0 ,0.0,0.0,0,0,0.6,0.1,99.3 1098301574,69.776,0.3,0.0,0.1,363,83.81,1.5,1.5,1.5,1.5,12,25,3.6,0,2,0.0,0. 0,0.0,0.0,0,0,0.6,0.1,99.3 1098301636,100.000,0.1,0.0,0.0,331,96.05,1.2,1.2,1.2,1.3,11,25,3.3,0,2,0.0,0 .0,0.0,0.0,0,0,0.3,0.0,99.7 1098301702,794091436664208000.000,0.2,0.0,0.1,404,90.60,1.7,1.7,1.8,1.7,16,2 5,4.0,0,2,0.0,0.0,0.0,0.0,0,0,0.5,0.1,99.5 1098301763,100.000,0.2,0.0,0.1,404,88.06,1.4,1.4,1.4,1.4,14,25,3.7,0,2,0.0,0 .0,0.0,0.0,0,0,0.5,0.1,99.5 1098301825,7.348,0.5,0.0,0.2,384,81.74,2.5,2.5,2.7,2.6,20,27,5.5,0,2,0.0,0.0 ,0.0,0.0,0,0,0.9,0.2,99.0 1098301885,100.000,0.2,0.0,0.1,390,81.39,1.8,1.8,1.9,1.9,17,27,4.3,0,2,0.0,0 .0,0.0,0.0,0,0,0.4,0.1,99.5 --------------------------------------------------------- This message has been scanned for viruses and dangerous content by the NAF Atsugi MailScanner. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 21)
- <Possible follow-ups>
- RE: Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 21)
- Re: RE: Snort PerfMon preprocessor output sekure (Oct 22)
- RE: RE: Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 23)