Snort mailing list archives
Re: Snort Stats (% Packet Loss)
From: "Kurzawa, Kevin" <kkurzawa () co pinellas fl us>
Date: Fri, 2 May 2014 15:40:37 -0400
As you say, the start up is definitely the highest packet drop percentage. But even that is a peak of 26. Here's the list of numbers from the relevant field in the stats file. Does ThePigDoktah look at other fields for this information? $ cat stats |cut -f 2 -d , pkt_drop_percent 26.447 23.215 11.228 5.466 3.789 1.807 2.918 1.583 3.296 5.213 0.401 3.142 3.444 10.505 2.058 1.267 4.113 6.268 1.432 0.896 2.468 0.356 4.884 3.609 0.765 1.150 3.100 3.049 1.798 2.976 1.395 8.574 12.834 9.475 6.947 11.643 10.214 4.720 2.089 1.259 6.927 18.875 12.649 10.645 4.849 7.381 3.539 5.326 From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Friday, May 02, 2014 3:33 PM To: Kurzawa, Kevin Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Snort Stats (% Packet Loss) You must have a line in there that shows >100%. Usually upon start up you'll have a line that reads like this. On May 2, 2014, at 3:17 PM, Kurzawa, Kevin <kkurzawa () co pinellas fl us<mailto:kkurzawa () co pinellas fl us>> wrote: % Packet Loss from the output of ThePigDoktah shows it over 100%. What is ThePigDoktah reading to get this output? From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Friday, May 02, 2014 3:14 PM To: Kurzawa, Kevin Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Snort Stats (% Packet Loss) In the line you posted here, it appears you dropped 3.44% of packets for that interval. -- Joel Esler Sent from my iPhone On May 2, 2014, at 15:09, "Kurzawa, Kevin" <kkurzawa () co pinellas fl us<mailto:kkurzawa () co pinellas fl us>> wrote: I recently set up ThePigDoktah for reading the perfmonitor stats output. The % Packet Loss it is giving is confusing me though. I set the perfmonitor to poll every 60 seconds. Tcpdump will read 100,000 packets and not drop a single one from the interface. Even while snort is running. I also see that the 2nd field in the stats output is the "pkt_drop_percent." And my numbers hang around 3-5. Not >100. Can anyone help me understand the % packet loss? Obviously I'm not dropping 100% of my packets, I'm getting alerts and whatnot. I figure I just don't understand it. STATS FILE #time,pkt_drop_percent ... 1399057133,3.444,122.361,0.050,23.119,661,319.020,256.385,256.768,253.151,174.418,47222,47223,1925.093,0,8059,0.083,0.083,0.100,0.083,0.000,0.083,1,2,0,0,1,80.034,5.322,14.644,122.361,0.002,0.002,45.504,168.489,661,1120,2415,2954,842,23.119,0.000,0.000,1.925,25.008,1387151,49474,0,106.534,124.234,21022,22424,47223,3968,16638,27592,0.000,169.384,134.317,0.000,0.000,0,0,0.000,0,0.000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54898083,1.150 THE PIG DOKTAH REPORT Report Info: Processed: stats First Entry: Fri May 2 14:46:53 2014 Last Entry: Fri May 2 14:58:53 2014 Time Span: 0 days, 0 hours, 12 minutes and 0 seconds Wirespeed: High: 138.603 Mbits/Sec | Fri May 2 14:55:53 2014 Low: 99.941 Mbits/Sec | Fri May 2 14:46:53 2014 Avg: 126.206 Mbits/Sec % Packet Loss: High: 124.234% | Fri May 2 14:58:53 2014 Low: 0.000% | Fri May 2 14:48:53 2014 Avg: 120.063% Additional Info: Avg Pkt Size: 659.974 bytes Avg Syns/Sec: 263.536 Avg SynAcks/Sec: 263.990 Avg Alerts/Sec: 0.061 Avg Current Cached Sessions: 43037.147 ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
- Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
- Re: Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
- Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
- Re: Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
- Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)
- Re: Snort Stats (% Packet Loss) Kurzawa, Kevin (May 02)
- Re: Snort Stats (% Packet Loss) Joel Esler (jesler) (May 02)