Snort mailing list archives
Possible bug in perfmonitor: pkt_drop_percent
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Thu, 25 Aug 2016 16:29:12 +0530
Hi, I had earlier written to this list to report large packet drops in 2.9.8.x ( https://sourceforge.net/p/snort/mailman/snort-devel/thread/CAOsL98NEqzDEXVH6d2Cu8cbrD-i6MWJ_fHcYZdL9ZS6w3PKMYw%40mail.gmail.com/#msg34692462 ) I got hit with this again after upgrade to 2.9.8.3 from 2.9.7.6 in one of my heavier sensors. The pkt drops as reported in snort.stats file (by perfmonitor) is a mind boggling 70-80%. Despite putting BPF filters (which reduced the packets snort sees), the drop rate did not reduce a bit. Here is the end of session totals seen in snort when filter is in effect Snort processed 4225228 packets. Snort ran for 0 days 0 hours 8 minutes 37 seconds Pkts/min: 528153 Pkts/sec: 8172 ======================================================== Packet I/O Totals: Received: 35543908 Analyzed: 4225228 ( 11.887%) Dropped: 13258753 ( 27.168%) Filtered: 30643474 ( 86.213%) Outstanding: 675206 ( 1.900%) Injected: 0 ========================================================= However, this is what is logged in the stats file (I write it to a DB) +---------------------+------------------------------+-----------------------+-------------------------+ | timestamp | round(kpackets_wire_per_sec) | round(wire_traf_rate) | round(pkt_drop_percent) | +---------------------+------------------------------+-----------------------+-------------------------+ | 2016-08-25 16:00:00 | 8 | 38 | 78 | | 2016-08-25 15:55:00 | 1 | 4 | 61 | While the effective drop rate is around 28%, stats file shows it as 75-80%!! Looking at the code, the problem becomes clearer - End Stats - (src/util.c:DropStats) Dropped packets is hw_packets_dropeed/(hw_packets_dropped + hw_packets_received)*100.0 This means this is totally derived from hardware and Snort doesn't come into picture. Seems legit. - PerfMonitor - (src/preprocessors/perf-base.c:GetPktDropStats) Dropped packets is calculated as hw_pkts_drop/(pkts_recv + hw_packets_drop) Here pkts_recv is packets received by snort. As large number of packets are filtered, the number of packets actually received by snort is less and so reported % drops are higher. I think it would be better if perfmonitor also computes drop percent based on hw_packets_received and NOT packets_received_by_snort because filtered packets are not drops. Note: The gripe with slower performance in 2.9.8.x is still there. here are the reference stats for 2.9.7.6 for the same sensor about an hour earlier Snort processed 9984264 packets. Snort ran for 0 days 0 hours 12 minutes 52 seconds Pkts/min: 832022 Pkts/sec: 12932 ======================================================= Packet I/O Totals: Received: 52933119 Analyzed: 9984264 ( 18.862%) Dropped: 0 ( 0.000%) Filtered: 42951276 ( 81.143%) Outstanding: 0 ( 0.000%) Injected: 0 ======================================================= Regards, Dheeraj
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible bug in perfmonitor: pkt_drop_percent Dheeraj Gupta (Aug 25)
- Re: Possible bug in perfmonitor: pkt_drop_percent Dheeraj Gupta (Aug 25)
- Re: Possible bug in perfmonitor: pkt_drop_percent Seshaiah Erugu (serugu) (Aug 25)
- Re: Possible bug in perfmonitor: pkt_drop_percent Dheeraj Gupta (Aug 25)