Snort mailing list archives
Re: Clarification upon stats
From: Reinoud Koornstra <sockstat () hotmail com>
Date: Tue, 30 Jul 2013 08:13:39 +0000
Hi Everyone, Does anybody have time to answer my question? Thanks, Reinoud. Date: Wed, 24 Jul 2013 03:01:06 -0700 Subject: Clarification upon stats From: sockstat () hotmail com To: snort-devel () lists sourceforge net Hi Everyone, I wanted to ask about the performance counters that snort maintains. In the function detection_option_tree_evaluate you start maintaining ruleOTNEvalPerfStats using a macro. But this actually kicks in for any type of node while only the leaf nodes seem to be an OTN. It also adds up when a node type is Flow or pcre etc so maybe it should better be called ruleNODEEvalPerfStats? In detection_option_tree_evaluate you call detection_option_node_evaluate which in case of a leaf node gets the RTN from the OTN and fpEvalRTN is called where you maintain ruleRTNEvalPerfStats. So in the end screen where you print the stats out it seems to me that the microseconds for rule tree eval contain the rtn eval microseconds, because fpEvalRTN is called while counting the clock ticks for ruleOTNEvalPerfStats. In profile.c you print the amount of microseconds out. So rule tree eval is not just the ticks spent in detection_option_tree_evaluate, It has the clock ticks spent in fpEvalRTN included, while rtn eval is printed out sperately. Same thing holds for the mpse stats when __process_queue calls rule_tree_match, then the ticks spent in detection_oprion_tree_evaluate and fpEvalRTN are included in the ticks spent in mpseSearch. Hence it seems there is some overlap in the stats, because I don't see the ticks spent in fpEvalRTN subtracted from the amount of ticks spent in detection_option_tree_evaluate for example or did I miss this? Also in case of a core 2duo CPU the tsc isn't stable and hence the calculation of how many clock ticks occur per microsecond might not be accurate? Thanks, Reinoud.
------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Clarification upon stats sockstat (Jul 24)
- Re: Clarification upon stats Reinoud Koornstra (Jul 30)
- Re: Clarification upon stats Todd Wease (Jul 30)
- Re: Clarification upon stats Reinoud Koornstra (Jul 30)
- Re: Clarification upon stats Reinoud Koornstra (Jul 31)
- Re: Clarification upon stats Todd Wease (Jul 31)
- Re: Clarification upon stats Reinoud Koornstra (Jul 30)