Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: packet I/O totals

From: Michael Altizer <mialtize () cisco com>
Date: Sun, 26 Feb 2017 20:30:37 -0500
Which DAQ module are you using?  PCAP? Outstanding is simply Received - 
Filtered - Analyzed.  Received and Filtered counts come from the DAQ 
module while Analyzed is how many packets Snort actually saw.  The 
Dropped count represents unintentional drops at the DAQ module or 
hardware layer, usually due to overloading.  Especially with the PCAP 
module, we are at the mercy of how the underlying implementation happens 
to report those Received and Dropped statistics (opaque to the user of 
libpcap).  So it appears that the packets that are being dropped due to 
overruns are still being (double) counted by the hardware/libpcap as 
also being received.

Relevant text from the man page for pcap_stats():

"""
        A struct pcap_stat has the following members:

               ps_recv
                      number of packets received;

               ps_drop
                      number of packets dropped because there was no 
room in the operating system's buffer when they arrived, because packets 
weren't being read fast enough;

               ps_ifdrop
                      number of packets dropped by the network interface 
or its driver.

        The  statistics  do  not  behave the same way on all platforms.  
ps_recv might count packets whether they passed any filter set with 
pcap_setfilter(3PCAP) or not, or it might count only packets that pass 
the filter.  It also might, or might not, count packets dropped because 
there was no room in the operating system's buffer when they arrived.  
ps_drop is not available on all platforms;  it  is zero on platforms 
where it's not available.  If packet filtering is done in libpcap, 
rather than in the operating system, it would count packets that don't 
pass the filter.  Both ps_recv and ps_drop might, or might not, count 
packets not yet read from the operating system and thus not yet seen by 
the application.  ps_ifdrop might, or might not, be implemented; if it's 
zero, that might mean that no packets were dropped by the interface, or 
it might mean that the statistic is unavailable, so it should not be 
treated as an indication that the interface did not drop any packets.
"""

Basically, there's a whole bunch of uncertainty and we kind of try to do 
our best.

On 02/23/2017 06:58 AM, Felix Erlacher wrote:

Hi all,

I have a question regarding the Snort Packet I/O totals.
This is what Snort tells me after i stop it with SIGTERM:

Packet I/O Totals:
    Received:      2234257
    Analyzed:      1327128 ( 59.399%)
     Dropped:       907129 ( 28.877%)
    Filtered:            0 (  0.000%)
Outstanding:       907129 ( 40.601%)
    Injected:            0

The snort manual says "Outstanding indicates how many packets are
buffered awaiting processing" and further refers to the DAQ
documentation. (The DAQ readme gives no Info on this behalf and I
could't find any other DAQ docu)
There are a few oddities here:
The "Dropped" and "Outstanding" numbers are exactly the same, namely the
difference between "analyzed" and "received".
How can dropped packets be at the same time outstanding?
Of which number is 907129 28.877%?

Is the problem that I aborted Snort?

I am using snort 2.9.9.0 with DAQ 2.0.6 to analyze traffic from my
10GBit NIC with the shipped snort.conf in IDS mode.
BTW: There was already a similar discussion on this list, the problem
was solved by a new DAQ. At the moment I am using the newest DAQ.

thanks and greets


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: