Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible bug in perfmonitor: pkt_drop_percent

From: "Seshaiah Erugu (serugu)" <serugu () cisco com>
Date: Thu, 25 Aug 2016 12:38:26 +0000
Hi Dheeraj,

Thanks for reporting, will create a bug for this to investigate further.

Thanks,
Seshaiah Erugu.

From: Dheeraj Gupta [mailto:dheeraj.gupta4 () gmail com]
Sent: Thursday, August 25, 2016 4:47 PM
To: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Possible bug in perfmonitor: pkt_drop_percent

In continuation, here's an untested partial patch which assumes drops are calculated based on packets received by 
hardware.

On Thu, Aug 25, 2016 at 4:29 PM, Dheeraj Gupta <dheeraj.gupta4 () gmail com<mailto:dheeraj.gupta4 () gmail com>> wrote:
Hi,
I had earlier written to this list to report large packet drops in 2.9.8.x 
(https://sourceforge.net/p/snort/mailman/snort-devel/thread/CAOsL98NEqzDEXVH6d2Cu8cbrD-i6MWJ_fHcYZdL9ZS6w3PKMYw%40mail.gmail.com/#msg34692462)
I got hit with this again after upgrade to 2.9.8.3 from 2.9.7.6 in one of my heavier sensors. The pkt drops as reported 
in snort.stats file (by perfmonitor) is a mind boggling 70-80%. Despite putting BPF filters (which reduced the packets 
snort sees), the drop rate did not reduce a bit.
Here is the end of session totals seen in snort when filter is in effect

Snort processed 4225228 packets.
Snort ran for 0 days 0 hours 8 minutes 37 seconds
   Pkts/min:       528153
   Pkts/sec:         8172

========================================================
Packet I/O Totals:
   Received:     35543908
   Analyzed:      4225228 ( 11.887%)
    Dropped:     13258753 ( 27.168%)
   Filtered:     30643474 ( 86.213%)
Outstanding:       675206 (  1.900%)
   Injected:            0
=========================================================
However, this is what is logged in the stats file (I write it to a DB)

+---------------------+------------------------------+-----------------------+-------------------------+
| timestamp           | round(kpackets_wire_per_sec) | round(wire_traf_rate) | round(pkt_drop_percent) |
+---------------------+------------------------------+-----------------------+-------------------------+
| 2016-08-25 16:00:00 |                            8 |                    38 |                      78 |
| 2016-08-25 15:55:00 |                            1 |                     4 |                      61 |
While the effective drop rate is around 28%, stats file shows it as 75-80%!!
Looking at the code, the problem becomes clearer
- End Stats - (src/util.c:DropStats)
  Dropped packets is hw_packets_dropeed/(hw_packets_dropped + hw_packets_received)*100.0
  This means this is totally derived from hardware and Snort doesn't come into picture. Seems legit.
- PerfMonitor - (src/preprocessors/perf-base.c:GetPktDropStats)
  Dropped packets is calculated as hw_pkts_drop/(pkts_recv + hw_packets_drop)
  Here pkts_recv is packets received by snort.
  As large number of packets are filtered, the number of packets actually received by snort is less and so reported % 
drops are higher.
  I think it would be better if perfmonitor also computes drop percent based on hw_packets_received and NOT 
packets_received_by_snort because filtered packets are not drops.

Note: The gripe with slower performance in 2.9.8.x is still there. here are the reference stats for 2.9.7.6 for the 
same sensor about an hour earlier

Snort processed 9984264 packets.
Snort ran for 0 days 0 hours 12 minutes 52 seconds
   Pkts/min:       832022
   Pkts/sec:        12932

=======================================================
Packet I/O Totals:
   Received:     52933119
   Analyzed:      9984264 ( 18.862%)
    Dropped:            0 (  0.000%)
   Filtered:     42951276 ( 81.143%)
Outstanding:            0 (  0.000%)
   Injected:            0
=======================================================

Regards,
Dheeraj


------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: