RE: Snort PerfMon preprocessor output

["Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>]

Changed the perfmonitor settings to include console output, so I could
double check what each column was actually showing.  Here is what got
recorded by syslog:

Oct 22 12:47:06 snort snort:   Snort Realtime Performance  : Fri Oct 22
12:47:06 2004
Oct 22 12:47:06 snort snort: --------------------------
Oct 22 12:47:06 snort snort: Pkts Recv:   1944
Oct 22 12:47:06 snort snort: Pkts Drop:   18446744073709551559
Oct 22 12:47:06 snort snort: % Dropped:   948906588153783552.00%
Oct 22 12:47:06 snort snort: KPkts/Sec:   0.48
Oct 22 12:47:06 snort snort: Bytes/Pkt:   627
Oct 22 12:47:06 snort snort: Mbits/Sec:   2.40 (wire)
Oct 22 12:47:06 snort snort: Mbits/Sec:   0.01 (rebuilt)
Oct 22 12:47:06 snort snort: Mbits/Sec:   2.40 (total)
Oct 22 12:47:06 snort snort: PatMatch:    87.47%
Oct 22 12:47:06 snort snort: CPU Usage:   3.62% (user)  0.81% (sys)  95.58%
(idle)
Oct 22 12:47:06 snort snort: Alerts/Sec      :  0.0
Oct 22 12:47:06 snort snort: Syns/Sec        :  9.5
Oct 22 12:47:06 snort snort: Syn-Acks/Sec    :  9.6
Oct 22 12:47:06 snort snort: New Sessions/Sec:  13.4
Oct 22 12:47:06 snort snort: Del Sessions/Sec:  12.9
Oct 22 12:47:06 snort snort: Total Sessions  :  263
Oct 22 12:47:06 snort snort: Max Sessions    :  517
Oct 22 12:47:06 snort snort: Stream Flushes/Sec :  17.4
Oct 22 12:47:06 snort snort: Stream Faults/Sec  :  0
Oct 22 12:47:06 snort snort: Stream Timeouts    :  2
Oct 22 12:47:06 snort snort: Frag Completes()s/Sec:  0.0

So, it looks like field 2 is the % dropped packets.  The problem actually
seems to be in the dropped packets counter.  It claims I dropped more then a
100 Billion packets, when I only received 1944.  

Must be a bug in the performance counter.  Anyone have any ideas?

Barry



-----Original Message-----
From: Basselgia, Barry A Mr (NAF Atsugi) 
Sent: Thursday, October 21, 2004 5:00 PM
To: 'snort-users () lists sourceforge net'
Subject: Snort PerfMon preprocessor output


I'm trying to figure out how to gage the performance on my snort sensor.  I
have the perfmonitor preprocessor configured with the below line in my
snort.conf file.

preprocessor perfmonitor: time 60 events flow file
/var/log/snort/snort.stats pktcnt 50

I was using the perfmon-graph.pl file to generate charts from the file.  But
the charts don't seem to match observed performance.  The first thing that
appears to be strange is in % Packets Dropped data.  If I'm not mistaken,
it's the second field in the snort.stats file, the time stamp being the
first field.  It is regularly recording that the % Packets Dropped is
greater then 100, is some instances much much greater then 100.  I'll
include sample data below.

Is there any more info on the perfmonitor preprocessor, other then what's in
the snort_manual.pdf file?  Anybody have any idea why it claims I'm dropping
Billions % packets.

snort:/var/log/snort # more snort.stats
1098299821,0.000,0.1,0.0,0.0,469,83.59,0.5,0.5,0.5,0.4,11,15,0.7,0,2,0.0,0.0
,0.0,0.0,0,0,0.1,0.0,99.9
1098299895,3.876,0.1,0.0,0.0,507,94.00,0.8,0.8,0.8,0.8,10,15,1.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.0,99.6
1098299959,4145335746901022720.000,0.2,0.0,0.0,527,90.05,0.9,0.9,0.9,0.9,13,
15,1.8,0,2,0.0,0.0,0.0,0.0,0,0,0.3,0.0,99.6
1098300022,32.718,0.2,0.0,0.1,280,73.48,0.7,0.7,0.7,0.8,9,16,1.1,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300082,100.000,0.2,0.0,0.0,476,87.77,0.9,0.9,0.9,0.8,19,19,2.2,0,2,0.0,0
.0,0.0,0.0,0,0,0.2,0.1,99.7
1098300144,534533296833078848.000,0.6,0.0,0.1,638,88.10,2.8,2.8,2.9,2.9,15,2
1,5.6,0,2,0.0,0.0,0.0,0.0,0,0,0.7,0.2,99.2
1098300206,0.000,0.2,0.0,0.1,532,84.87,1.7,1.7,1.7,1.8,11,21,3.2,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.7
1098300270,0.000,0.2,0.0,0.0,660,108.07,1.2,1.2,1.2,1.1,15,21,2.4,0,2,0.0,0.
0,0.0,0.0,0,0,0.7,0.1,99.2
1098300342,15.919,0.3,0.0,0.1,366,87.41,1.3,1.3,1.3,1.4,10,25,2.5,0,3,0.0,0.
0,0.0,0.0,0,0,0.5,0.1,99.5
1098300416,100.000,0.3,0.0,0.1,590,87.64,0.9,0.9,0.9,0.9,8,25,1.7,0,2,0.0,0.
0,0.0,0.0,0,0,0.3,0.1,99.6
1098300483,100.000,0.2,0.0,0.0,515,85.02,0.7,0.7,0.7,0.7,13,25,1.2,0,2,0.0,0
.0,0.0,0.0,0,0,0.2,0.1,99.8
1098300551,0.000,0.3,0.0,0.1,477,83.42,2.5,2.5,2.6,2.5,15,25,4.6,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300613,2.852,0.5,0.0,0.1,462,85.56,2.2,2.2,2.3,2.2,17,25,4.0,0,2,0.0,0.0
,0.0,0.0,0,0,0.7,0.2,99.1
1098300675,100.000,0.4,0.0,0.1,549,86.72,0.8,0.8,0.8,1.0,9,25,1.6,0,2,0.0,0.
0,0.0,0.0,0,0,0.4,0.1,99.5
1098300741,0.000,0.3,0.0,0.1,550,85.84,1.7,1.7,1.7,1.6,14,25,2.6,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300813,0.000,0.1,0.0,0.0,321,84.21,1.3,1.3,1.3,1.3,13,25,3.2,0,3,0.0,0.0
,0.0,0.0,0,0,0.2,0.0,99.8
1098300880,0.000,0.2,0.0,0.1,476,89.38,1.9,1.9,1.9,1.9,13,25,4.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.4,0.1,99.5
1098300944,18.444,0.3,0.0,0.1,298,75.11,1.5,1.5,1.5,1.6,11,25,3.4,0,2,0.0,0.
0,0.0,0.0,0,0,0.3,0.1,99.6
1098301018,100.000,0.1,0.0,0.0,619,133.61,1.2,1.2,1.3,1.3,15,25,3.5,0,2,0.0,
0.0,0.0,0.0,0,0,1.4,0.0,98.6
1098301097,100.000,0.1,0.0,0.0,292,77.05,1.1,1.1,1.1,1.2,10,25,2.9,0,3,0.0,0
.0,0.0,0.0,0,0,0.1,0.0,99.8
1098301175,0.000,0.1,0.0,0.0,367,81.32,1.0,1.0,1.0,1.0,6,25,2.7,0,2,0.0,0.0,
0.0,0.0,0,0,0.1,0.0,99.9
1098301239,12.576,0.4,0.0,0.1,382,81.06,1.9,1.9,2.0,1.8,17,25,4.1,0,2,0.0,0.
0,0.0,0.0,0,0,0.6,0.1,99.3
1098301311,100.000,0.2,0.0,0.1,550,90.52,1.5,1.5,1.5,1.6,7,25,4.0,0,3,0.0,0.
0,0.0,0.0,0,0,0.4,0.1,99.5
1098301373,0.000,0.2,0.0,0.0,486,85.79,1.5,1.5,1.5,1.5,8,25,3.7,0,2,0.0,0.0,
0.0,0.0,0,0,0.3,0.0,99.7
1098301442,0.000,0.2,0.0,0.0,459,84.36,1.5,1.5,1.5,1.5,12,25,3.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.2,0.0,99.8
1098301502,0.000,0.4,0.0,0.1,491,86.14,2.0,2.0,2.1,2.1,12,25,4.7,0,2,0.0,0.0
,0.0,0.0,0,0,0.6,0.1,99.3
1098301574,69.776,0.3,0.0,0.1,363,83.81,1.5,1.5,1.5,1.5,12,25,3.6,0,2,0.0,0.
0,0.0,0.0,0,0,0.6,0.1,99.3
1098301636,100.000,0.1,0.0,0.0,331,96.05,1.2,1.2,1.2,1.3,11,25,3.3,0,2,0.0,0
.0,0.0,0.0,0,0,0.3,0.0,99.7
1098301702,794091436664208000.000,0.2,0.0,0.1,404,90.60,1.7,1.7,1.8,1.7,16,2
5,4.0,0,2,0.0,0.0,0.0,0.0,0,0,0.5,0.1,99.5
1098301763,100.000,0.2,0.0,0.1,404,88.06,1.4,1.4,1.4,1.4,14,25,3.7,0,2,0.0,0
.0,0.0,0.0,0,0,0.5,0.1,99.5
1098301825,7.348,0.5,0.0,0.2,384,81.74,2.5,2.5,2.7,2.6,20,27,5.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.9,0.2,99.0
1098301885,100.000,0.2,0.0,0.1,390,81.39,1.8,1.8,1.9,1.9,17,27,4.3,0,2,0.0,0
.0,0.0,0.0,0,0,0.4,0.1,99.5


---------------------------------------------------------
This message has been scanned for viruses and dangerous
content by the NAF Atsugi MailScanner.




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users