Snort mailing list archives
Re: performance monitoring
From: Erik Fichtner <emf () servervault com>
Date: Sat, 29 May 2004 15:21:08 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, May 29, 2004 at 01:39:01AM -0700, nt wrote:
I am output the performance monitoring to a file and i would like to know what each column represents does any one know I plan on parsing and displaying in a web page. below is the output. 1085819494,0.000,3.6,0.3,0.9,661,117.54,9.0,7.7,8.9,8.9,159,555,55.8,0,5 9,0.0,0.0,0.0,0.0,0,0,4.7,0.9,94.4
make_snortperf_rrd.sh:
#!/bin/sh
# Example input line:
#
1085604455,0.000,73.9,0.4,21.9,430,80.60,1340.4,1348.7,257.0,2399.7,991.5,967.7,24525,40918,0.0,0,1,0.3,0.5,0.2,0.2,60,0,23.4,3.4,73.3
#
# 1. epoch seconds, [1085604455]
# 2. %packets dropped, [0.000]
# 3. MBits/sec, [73.9]
# 4. alerts/sec, [0.4]
# 5. kpkts/sec, [21.9]
# 6. avg bytes/pkt, [430]
# 7. %bytes pattern matched, [80.60]
# 8. syns/sec [1340.4]
# 9. synacks/sec [1348.7]
# 10. rsts/sec [257.0] (only in emf's patch to 2.1.3rc1)
# 11. fins/sec [2399.7] (only in emf's patch to 2.1.3rc1)
# 12. new-sessions/sec [991.5] (from preprocessor stream4)
# 13. del-sessions/sec [967.7] ..
# 14. total sessions open [24525] ..
# 15. max sessions [40918] ..
# 16. stream flushes/sec [0.0] ..
# 17. stream faults/sec [0] ..
# 18. stream timeouts [1] ..
# 19. fragcompletes/sec [0.3] (from preprocessor frag2)
# 20. fraginserts/sec [0.5] ..
# 21. fragdeletes/sec [0.2] ..
# 22. fragflushes/sec [0.2] ..
# 23. frag timeouts [60] ..
# 24. frag faults [0] ..
# 25. %user CPU usage [23.4]
# 26. %sys CPU usage [3.4]
# 27. %idle CPU usage [73.3]
if [ x"$1" = x"" ] ; then
echo "Usage: $0 [sensorname]";
exit 128
else
rrdtool create snortperf_${1}.rrd --step 60 --start 01/01/2002 \
DS:pct_pkts_dropped:GAUGE:180:U:U \
DS:mbits_sec:GAUGE:180:U:U \
DS:alerts_sec:GAUGE:180:U:U \
DS:kpkts_sec:GAUGE:180:U:U \
DS:avg_bytes_pkt:GAUGE:180:U:U \
DS:pct_bytes_matched:GAUGE:180:U:U \
DS:syn:GAUGE:180:U:U \
DS:synack:GAUGE:180:U:U \
DS:rst:GAUGE:180:U:U \
DS:fin:GAUGE:180:U:U \
DS:new_sessions_sec:GAUGE:180:U:U \
DS:del_sessions_sec:GAUGE:180:U:U \
DS:total_sessions_open:GAUGE:180:U:U \
DS:max_sessions:COUNTER:180:U:U \
DS:streamflushes_sec:GAUGE:180:U:U \
DS:streamfaults_sec:GAUGE:180:U:U \
DS:stream_timeouts:GAUGE:180:U:U \
DS:fragcompletes_sec:GAUGE:180:U:U \
DS:fraginserts_sec:GAUGE:180:U:U \
DS:fragdeletes_sec:GAUGE:180:U:U \
DS:fragflushes_sec:GAUGE:180:U:U \
DS:frag_timeouts:GAUGE:180:U:U \
DS:frag_faults:GAUGE:180:U:U \
DS:user_CPU:GAUGE:180:U:U \
DS:sys_CPU:GAUGE:180:U:U \
DS:idle_CPU:GAUGE:180:U:U \
RRA:AVERAGE:0:1:10080 \
RRA:AVERAGE:0:60:4320 \
fi
- --
Erik Fichtner
Principal Engineer, Information Security, ServerVault Corp.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQFAuOKjQ7EzrewLMS0RAmEAAKC7EVDIE32ykI0v3rRZu9TLi56ZKQCfRbrc
BFfCHouVpP5k5L/N5UgsiTA=
=cz1U
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- performance monitoring nt (May 29)
- RE: performance monitoring Darren Webb (May 29)
- Re: performance monitoring Erik Fichtner (May 29)
- Re: performance monitoring AJ Butcher, Information Systems and Computing (Jun 01)