Snort mailing list archives
Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Mon, 14 Dec 2015 11:30:00 +0530
Hi, I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the upgrade one of my sensors showed (somewhat expected) packet drops. However, after the upgrade the packet drop increased significantly even though the number of rules decreased (as SO rules are not in use with 2.9.8.0). I am still using Snort-2.9.7.6 rulesets (as advised by you). Here is a snip from my snort.stats file for 2.9.8.0 #time,pkt_drop_percent,wire_mbits_per_sec.realtime 1450068900,33.873,124.415 1450069200,23.718,121.253 1450069500,26.014,120.349 1450069800,26.368,120.821 1450070100,23.706,116.493 1450070400,21.039,121.363 For Snort-2.9.7.6, the snip is #time,pkt_drop_percent,wire_mbits_per_sec.realtime 1450071180,0.000,79.159 1450071480,0.000,118.671 1450071780,2.146,132.186 1450072080,8.337,130.408 Looking at end-of-snort stats. This is for 2.9.8.0 Packet I/O Totals: Received: 804563792 Analyzed: 388361098 ( 48.270%) Dropped: 298207658 ( 27.042%) Filtered: 415840607 ( 51.685%) Outstanding: 362087 ( 0.045%) Injected: 0 And this is for 2.9.7.6 Packet I/O Totals: Received: 60969886 Analyzed: 30035104 ( 49.262%) Dropped: 742645 ( 1.203%) Filtered: 30927585 ( 50.726%) Outstanding: 7197 ( 0.012%) Injected: 0 I have a longish BPF filter, so is the filtered count an indication of the amount of traffic which was filtered by that filter? Also is dropped count a subset of analyzed count or received count? I ask this because it appears received_count = analyzed + filtered so dropped_count doesn't really fit in Regards, Dheeraj
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 13)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Nageswara Rao A.V.K (navk) (Dec 14)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 14)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 16)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Nageswara Rao A.V.K (navk) (Dec 16)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 16)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 18)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 14)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Nageswara Rao A.V.K (navk) (Dec 14)