Snort mailing list archives

RE: Drop statistics and Cisco Catalyst 6500

From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Wed, 27 Mar 2002 23:02:07 -0600

Telnet session at the enable prompt:

cisco> (enable) show counters 4/5
64 bit counters
0  rxHCTotalPkts                      =                    0
1  txHCTotalPkts                      =           1347813989
2  rxHCUnicastPkts                    =                    0
3  txHCUnicastPkts                    =           1334331889
4  rxHCMulticastPkts                  =                    0
5  txHCMulticastPkts                  =              2806053
6  rxHCBroadcastPkts                  =                    0
7  txHCBroadcastPkts                  =             10676047
[etc.]

I just noticed the "64 bit counters" thing this time.  If that is to be
believed, then the Cisco counters shouldn't roll over until
18,446,744,073,709,551,616.

I probably won't bother with that one-hour test tomorrow...

Owen

-----Original Message-----
From: Madziarczyk, Jonathan [mailto:than () cityofevanston org]
Sent: Wednesday, March 27, 2002 6:49 PM
To: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Drop statistics and Cisco Catalyst 6500




-----Original Message-----
From: Madziarczyk, Jonathan 
Sent: Wednesday, March 27, 2002 6:48 PM
To: 'Crow, Owen'
Subject: RE: [Snort-users] Drop statistics and Cisco Catalyst 6500

Owen,

Was your Network guru looking at the counters from the console or SNMP (like
CiscoWorks or Openview)?

JonM

-----Original Message-----
From: Crow, Owen [mailto:Owen_Crow () bmc com] 
Sent: Wednesday, March 27, 2002 4:57 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] Drop statistics and Cisco Catalyst 6500

I'm trying to understand the packet & drop statistics generated by Snort vs.
the statistics generated by a Cisco Catalyst 6500.

Sensor info:
Compaq ML370 Rack-mount
Pentium III at 933MHz
512MB RAM
Redhat 7.2 with stock kernel 2.4.7-10
libpcap-0.7.1 compiled locally
snort-1.8.3 compiled locally against libpcap-0.7.1
Admin interface: eth0: OEM i82557/i82558 10/100 Ethernet, xx:xx:xx:xx:xx:xx,
IRQ 11.
Unused interface: eth1: OEM i82557/i82558 10/100 Ethernet,
xx:xx:xx:xx:xx:xx, IRQ 5.
Snort interface: eth2:  Mem:0xc6fe0000  IRQ:15  Speed:1000 Mbps  Duplex:Full
        Intel(R) PRO/1000 Network Driver - version 3.1.22
All hardware is Compaq-supplied.
Only output options are fast and binary.

The Snort interface is connected via fiber to a port on the 6500 and the
VLAN for one of our internal networks is spanned to this port.  Of the VLAN
ports, 11 are GigE and two are 100BaseT.  This VLAN (call it 10.10.0.0/16)
serves multiple floors in multiple buildings for about 2500 systems.

Yesterday, I setup a cron job to grab statistics every hour on the Snort
sensor:
0 * * * * killall -USR1 snort && sleep 10 && egrep "snort: Snort
analyzed|snort: dropping" /var/log/messages | tail -2 | mail -s "Snort stats
for $HOSTNAME on `date`" me@my.domain

Which returns output like:
Mar 27 16:00:00 hostname snort: Snort analyzed 58659786 out of 102822893
packets, 
Mar 27 16:00:00 hostname snort: dropping 44163107(42.951%) packets  

Then at a specific hour (16:00 CST yesterday) I asked our network admin to
reset the statistics on the Snort port of the 6500.  Today at 09:00 I asked
him to "show counters" on that port to get the transmitted packet counts
(txHCTotalPkts).  In theory, the total packets seen by the 6500 for that
port should match the total packets seen by the Snort sensor.  Here are the
numbers:

Snort sensor:
Total packets analyzed: 1,347,042,936
Total packets:          2,452,608,498
Dropped packets:        1,105,565,562
Drop percentage:        45.08%

Catalyst 6500:
Total packets (txHCTotalPkts): 1,347,813,989
Discards (ifOutDiscards):          8,182,354

So the average packets per second according to Snort is 40075, while
according to the Cisco it is 22023.  Why does my Snort sensor seem to be
seeing approximately twice as many packets as the Cisco?

I can provide more of the Cisco stats if they are relevant.

Thanks,
Owen Crow
Systems Programmer (Unix)
BMC Software, Inc.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)
- Re: Drop statistics and Cisco Catalyst 6500 Rich Adamson (Mar 27)
- <Possible follow-ups>
- RE: Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)
  - RE: Drop statistics and Cisco Catalyst 6500 Rich Adamson (Mar 27)
  - Re: Drop statistics and Cisco Catalyst 6500 Dr. Richard W. Tibbs (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Madziarczyk, Jonathan (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)