Snort mailing list archives
Snort PerfMon preprocessor output
From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Thu, 21 Oct 2004 17:00:25 +0900
I'm trying to figure out how to gage the performance on my snort sensor. I have the perfmonitor preprocessor configured with the below line in my snort.conf file. preprocessor perfmonitor: time 60 events flow file /var/log/snort/snort.stats pktcnt 50 I was using the perfmon-graph.pl file to generate charts from the file. But the charts don't seem to match observed performance. The first thing that appears to be strange is in % Packets Dropped data. If I'm not mistaken, it's the second field in the snort.stats file, the time stamp being the first field. It is regularly recording that the % Packets Dropped is greater then 100, is some instances much much greater then 100. I'll include sample data below. Is there any more info on the perfmonitor preprocessor, other then what's in the snort_manual.pdf file? Anybody have any idea why it claims I'm dropping Billions % packets. snort:/var/log/snort # more snort.stats 1098299821,0.000,0.1,0.0,0.0,469,83.59,0.5,0.5,0.5,0.4,11,15,0.7,0,2,0.0,0.0 ,0.0,0.0,0,0,0.1,0.0,99.9 1098299895,3.876,0.1,0.0,0.0,507,94.00,0.8,0.8,0.8,0.8,10,15,1.5,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.0,99.6 1098299959,4145335746901022720.000,0.2,0.0,0.0,527,90.05,0.9,0.9,0.9,0.9,13, 15,1.8,0,2,0.0,0.0,0.0,0.0,0,0,0.3,0.0,99.6 1098300022,32.718,0.2,0.0,0.1,280,73.48,0.7,0.7,0.7,0.8,9,16,1.1,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.1,99.6 1098300082,100.000,0.2,0.0,0.0,476,87.77,0.9,0.9,0.9,0.8,19,19,2.2,0,2,0.0,0 .0,0.0,0.0,0,0,0.2,0.1,99.7 1098300144,534533296833078848.000,0.6,0.0,0.1,638,88.10,2.8,2.8,2.9,2.9,15,2 1,5.6,0,2,0.0,0.0,0.0,0.0,0,0,0.7,0.2,99.2 1098300206,0.000,0.2,0.0,0.1,532,84.87,1.7,1.7,1.7,1.8,11,21,3.2,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.1,99.7 1098300270,0.000,0.2,0.0,0.0,660,108.07,1.2,1.2,1.2,1.1,15,21,2.4,0,2,0.0,0. 0,0.0,0.0,0,0,0.7,0.1,99.2 1098300342,15.919,0.3,0.0,0.1,366,87.41,1.3,1.3,1.3,1.4,10,25,2.5,0,3,0.0,0. 0,0.0,0.0,0,0,0.5,0.1,99.5 1098300416,100.000,0.3,0.0,0.1,590,87.64,0.9,0.9,0.9,0.9,8,25,1.7,0,2,0.0,0. 0,0.0,0.0,0,0,0.3,0.1,99.6 1098300483,100.000,0.2,0.0,0.0,515,85.02,0.7,0.7,0.7,0.7,13,25,1.2,0,2,0.0,0 .0,0.0,0.0,0,0,0.2,0.1,99.8 1098300551,0.000,0.3,0.0,0.1,477,83.42,2.5,2.5,2.6,2.5,15,25,4.6,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.1,99.6 1098300613,2.852,0.5,0.0,0.1,462,85.56,2.2,2.2,2.3,2.2,17,25,4.0,0,2,0.0,0.0 ,0.0,0.0,0,0,0.7,0.2,99.1 1098300675,100.000,0.4,0.0,0.1,549,86.72,0.8,0.8,0.8,1.0,9,25,1.6,0,2,0.0,0. 0,0.0,0.0,0,0,0.4,0.1,99.5 1098300741,0.000,0.3,0.0,0.1,550,85.84,1.7,1.7,1.7,1.6,14,25,2.6,0,2,0.0,0.0 ,0.0,0.0,0,0,0.3,0.1,99.6 1098300813,0.000,0.1,0.0,0.0,321,84.21,1.3,1.3,1.3,1.3,13,25,3.2,0,3,0.0,0.0 ,0.0,0.0,0,0,0.2,0.0,99.8 1098300880,0.000,0.2,0.0,0.1,476,89.38,1.9,1.9,1.9,1.9,13,25,4.5,0,2,0.0,0.0 ,0.0,0.0,0,0,0.4,0.1,99.5 1098300944,18.444,0.3,0.0,0.1,298,75.11,1.5,1.5,1.5,1.6,11,25,3.4,0,2,0.0,0. 0,0.0,0.0,0,0,0.3,0.1,99.6 1098301018,100.000,0.1,0.0,0.0,619,133.61,1.2,1.2,1.3,1.3,15,25,3.5,0,2,0.0, 0.0,0.0,0.0,0,0,1.4,0.0,98.6 1098301097,100.000,0.1,0.0,0.0,292,77.05,1.1,1.1,1.1,1.2,10,25,2.9,0,3,0.0,0 .0,0.0,0.0,0,0,0.1,0.0,99.8 1098301175,0.000,0.1,0.0,0.0,367,81.32,1.0,1.0,1.0,1.0,6,25,2.7,0,2,0.0,0.0, 0.0,0.0,0,0,0.1,0.0,99.9 1098301239,12.576,0.4,0.0,0.1,382,81.06,1.9,1.9,2.0,1.8,17,25,4.1,0,2,0.0,0. 0,0.0,0.0,0,0,0.6,0.1,99.3 1098301311,100.000,0.2,0.0,0.1,550,90.52,1.5,1.5,1.5,1.6,7,25,4.0,0,3,0.0,0. 0,0.0,0.0,0,0,0.4,0.1,99.5 1098301373,0.000,0.2,0.0,0.0,486,85.79,1.5,1.5,1.5,1.5,8,25,3.7,0,2,0.0,0.0, 0.0,0.0,0,0,0.3,0.0,99.7 1098301442,0.000,0.2,0.0,0.0,459,84.36,1.5,1.5,1.5,1.5,12,25,3.5,0,2,0.0,0.0 ,0.0,0.0,0,0,0.2,0.0,99.8 1098301502,0.000,0.4,0.0,0.1,491,86.14,2.0,2.0,2.1,2.1,12,25,4.7,0,2,0.0,0.0 ,0.0,0.0,0,0,0.6,0.1,99.3 1098301574,69.776,0.3,0.0,0.1,363,83.81,1.5,1.5,1.5,1.5,12,25,3.6,0,2,0.0,0. 0,0.0,0.0,0,0,0.6,0.1,99.3 1098301636,100.000,0.1,0.0,0.0,331,96.05,1.2,1.2,1.2,1.3,11,25,3.3,0,2,0.0,0 .0,0.0,0.0,0,0,0.3,0.0,99.7 1098301702,794091436664208000.000,0.2,0.0,0.1,404,90.60,1.7,1.7,1.8,1.7,16,2 5,4.0,0,2,0.0,0.0,0.0,0.0,0,0,0.5,0.1,99.5 1098301763,100.000,0.2,0.0,0.1,404,88.06,1.4,1.4,1.4,1.4,14,25,3.7,0,2,0.0,0 .0,0.0,0.0,0,0,0.5,0.1,99.5 1098301825,7.348,0.5,0.0,0.2,384,81.74,2.5,2.5,2.7,2.6,20,27,5.5,0,2,0.0,0.0 ,0.0,0.0,0,0,0.9,0.2,99.0 1098301885,100.000,0.2,0.0,0.1,390,81.39,1.8,1.8,1.9,1.9,17,27,4.3,0,2,0.0,0 .0,0.0,0.0,0,0,0.4,0.1,99.5 --------------------------------------------------------- This message has been scanned for viruses and dangerous content by the NAF Atsugi MailScanner. ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 21)
- <Possible follow-ups>
- RE: Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 21)
- Re: RE: Snort PerfMon preprocessor output sekure (Oct 22)
- RE: RE: Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 23)