[2]'kill snort-pid -USR1' returns unrealistic figures

[Bruno Vuillemin <Bruno.Vuillemin () unifr ch>]

Hello everybody,

After a first mail about the fact that
"kill snort-pid -USR1" generated very unlikely statistics

I got some advice about libpcap etc. Thanks.

So : 
I upgraded the linux system (Red Hat 7.2) 
(applied all current patch rpms)
to kernel  2.4.9-21
I removed  the redhat libpcap rpm
I installed libpcap 0.7.1 (from www.tcpdump.org)
I upgraded snort to 1.8.3

The monitored ethernet card uses the driver eepro100 
/etc/modules.conf contains among other lines 
        alias eth0 eepro100

I didn't recompiled the new kernel after reading
lipcap 0.7.1 README.linux and its remark about 
packet socket, because I got no complain from snort
or the system. Since it is not a module
I think it is already included in the kernel...

And again the figures show something wrong...
(16'2213  214.539% can't compare to the total 75'603).
Hence there's a doubt in my mind, /proc/net/dev show
no problem to get the packets... but what about snort ?

Any comments ? Thanks.

Bruno Vuillemin, computer service, University of Fribourg/Freiburg, 
Switzerland.

Feb 21 16:34:17 snortBox snort:   =============================================
==================================
Feb 21 16:34:17 snortBox snort: Snort analyzed 75603 out of 75610 packets, 
Feb 21 16:34:17 snortBox snort: dropping 7(0.009%) packets  
Feb 21 16:34:17 snortBox snort: Breakdown by protocol:                Action 
Stats:
Feb 21 16:34:17 snortBox snort:     TCP: 162213     (214.539%)         ALERTS: 
48
Feb 21 16:34:17 snortBox snort:     UDP: 649        (0.858%)          LOGGED: 
28
Feb 21 16:34:17 snortBox snort:    ICMP: 139        (0.184%)          PASSED: 
0
Feb 21 16:34:17 snortBox snort:     ARP: 603        (0.798%) 
Feb 21 16:34:17 snortBox snort:    IPv6: 0          (0.000%) 
Feb 21 16:34:17 snortBox snort:     IPX: 0          (0.000%) 
Feb 21 16:34:17 snortBox snort:   OTHER: 1099       (1.454%) 
Feb 21 16:34:17 snortBox snort: DISCARD: 0          (0.000%) 
Feb 21 16:34:17 snortBox snort: ===============================================
================================
Feb 21 16:34:17 snortBox snort: Fragmentation Stats: 
Feb 21 16:34:17 snortBox snort: Fragmented IP Packets: 0          (0.000%) 
Feb 21 16:34:17 snortBox snort:     Fragment Trackers: 0          
Feb 21 16:34:17 snortBox snort:    Rebuilt IP Packets: 0          
Feb 21 16:34:17 snortBox snort:    Frag elements used: 0          
Feb 21 16:34:17 snortBox snort: Discarded(incomplete): 0          
Feb 21 16:34:17 snortBox snort:    Discarded(timeout): 0          
Feb 21 16:34:17 snortBox snort:   Frag2 memory faults: 0          
Feb 21 16:34:17 snortBox snort: ===============================================
================================
Feb 21 16:34:17 snortBox snort: TCP Stream Reassembly Stats: 
Feb 21 16:34:17 snortBox snort:         TCP Packets Used: 162212     
(214.538%)
Feb 21 16:34:17 snortBox snort:          Stream Trackers: 4398       
Feb 21 16:34:17 snortBox snort:           Stream flushes: 351        
Feb 21 16:34:17 snortBox snort:            Segments used: 924        
Feb 21 16:34:17 snortBox snort:    Stream4 Memory Faults: 0          
Feb 21 16:34:17 snortBox snort: ===============================================
================================



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users