Snort mailing list archives

Re: Crazy snort packet stats

From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Thu, 3 Sep 2009 14:25:09 -0400

It seems to me that we missed the point where "Received" grows greater than
2^32. I bet this is what it's supposed to look like:

Received: 6375266719 (Your current received plus 2^32)
Analyzed: 6254554910
Dropped:    120711785
Outstanding:           24

A couple questions to help me narrow down the problem:
- Have you managed to reproduce this? (Not that I would expect it to happen
twice.)
- Which OS are you running? Version of libpcap?
- How fast is the traffic that you're inspecting?

Thanks for reporting this. I'll have to take another look at the function
where we look for that counter wrap-around.

-Ryan

On Thu, Sep 3, 2009 at 11:17 AM, Billy Marshall
<Billy.Marshall () state co us>wrote:

 Hi All,
Check this out please. It seems a bit weird

Sep  3 09:07:55 xxxx snort[24051]:    Packet Wire Totals:
Sep  3 09:07:55 xxxx snort[24051]:    Received:   2080299423
Sep  3 09:07:55 xxxx snort[24051]:    Analyzed:   6254554910 (300.656%)
Sep  3 09:07:55 xxxx snort[24051]:    Dropped:    120711785 (5.803%)
Sep  3 09:07:55 xxxx snort[24051]:    Outstanding: 18446744069414584344
(886735047150.690%)

xxxx:/etc/snort # snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.4.1 (Build 38)  i386
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           Copyright (C) 1998-2009 Sourcefire, Inc., et al.
           Using PCRE version: 6.4 05-Sep-2005
I am not sure what's going on with this. But, the outstanding packets are
at a ridiculous percentage and the analyzed packets are 3 times what has
been received.



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus
on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

on to snort TROUBLESHOOTING Ron Kaye Jr (Sep 02)
- Crazy snort packet stats Billy Marshall (Sep 07)
  - Message not available
    - Re: severity rating Nigel Houghton (Sep 07)
  - Re: Crazy snort packet stats Ryan Jordan (Sep 07)
    - Re: Crazy snort packet stats Nerijus Krukauskas (Sep 07)
    - Message not available
    - Re: Crazy snort packet stats Billy Marshall (Sep 07)