Snort mailing list archives

Previous By Date Next
Previous By Thread Next

[PATCH]: bad calculation of the amount of drop.

From: Yoann Vandoorselaere <yoann () prelude-ids org>
Date: Wed, 01 Oct 2003 16:46:54 +0200
Hi,

It seems that Snort has a bug preventing the calculation of the correct
amount of dropped packet. This bug make snort report ~50% of dropped
packet when there are in fact ~99% of drop.

In order to compute the amount of dropped packet, snort use the
statistics provided by pcap throught the pcap_stat structure. 

This structure contain two field: 

- ps_recv is the total amount of packet received, _including DROP_.
- ps_drop is the amount of packet dropped by the kernel.

The correct way to gather the number of analyzed packet is to substract
ps_drop from ps_recv. Adding a simple packet counter to snort will
provide you with the proof that the correct way to calculate the
percentage of DROP is to use ps_recv - ps_drop. 

Also the following comment in the pcap source code describe this
behavior, from pcap-bpf.c (the same kind of comment is present in
pcap-linux.c) :

 /*
  * "ps_recv" counts packets handed to the filter, not packets
  * that passed the filter.  This includes packets later dropped
  * because we ran out of buffer space.
  *
  * "ps_drop" counts packets dropped inside the BPF device
  * because we ran out of buffer space.  It doesn't count
  * packets dropped by the interface driver.  It counts
  * only packets that passed the filter.
  *
  * Both statistics include packets not yet read from the kernel
  * by libpcap, and thus not yet seen by the application.
  */

The same kind of comment is present in pcap-linux.c


Current code in Snort, enabling the calculation of the amount of drop is
in util.c :

LogMessage("Snort analyzed %d out of %d packets, ", 
           ps.ps_recv, ps.ps_recv+ps.ps_drop);

As ps_recv already contain the amount of drop, the line of code in
question should more look like :

LogMessage("Snort analyzed %d out of %d packets, ", 
           ps.ps_recv - ps.ps_drop, ps.ps_recv);

Then the following offending line of code :

LogMessage("dropping %d(%.3f%%) packets\n\n", 
           ps.ps_drop, 
           CalcPct( (float) ps.ps_drop, (float) (ps.ps_recv+ps.ps_drop)
));

That should be corrected to :

LogMessage("dropping %d(%.3f%%) packets\n\n", 
           ps.ps_drop, 
           CalcPct( (float) ps.ps_drop, (float) ps.ps_recv ));

Also, the per-protocol breakdown should probably be fixed to be computed
against the amount of received packet, and not the amount of packet
received + the number of DROP (the patch doesn't fix this, and keep the
current behavior).

-- 
Yoann Vandoorselaere <yoann () prelude-ids org>

Attachment: snort-drop-calculation.diff
Description:

Previous By Date Next
Previous By Thread Next

Current thread: