Snort mailing list archives

RE: RE: Snort PerfMon preprocessor output

From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Sun, 24 Oct 2004 12:33:23 +0900

That's for the pointer.

When I went to look at perf-base.c found there is a #define that setups up
the drop packet counter.  It was set to ACCUMULATE_PKTS which is for BSD
systems I changed it to RESET_PKTS which the comments say is for Linux
2.4.*.  Recompiled snort and the stats seem to be working much better now.

Shouldn't the configure script have picked this up?

Thanks again for the help.

Barry


-----Original Message-----
From: sekure [mailto:sekure () gmail com]
Sent: Friday, October 22, 2004 10:15 PM
To: Basselgia, Barry A Mr (NAF Atsugi)
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] RE: Snort PerfMon preprocessor output


Barry,

Two things:

1.  What OS are you using, what version of libpcap, what version of snort?

2.  Here is the the format of the perfmonitor file, from perf-base.c:

/*
 *
 *   Log Base Per Stats to File for Use by the MC
 *
 * unixtime(in secs since epoch)
 * %pkts dropped
 * mbits/sec
 * alerts/sec
 * K-Packets/Sec
 * Avg Bytes/Pkt
 * %bytes pattern matched
 * syns/sec
 * synacks/sec
 * new-sessions/sec
 * del-sessions/sec
 * total-sessions open
 * max-sessions
 * streamflushes/sec
 * streamfaults/sec
 * streamtimeouts
 * fragcompletes/sec
 * fraginserts/sec
 * fragdeletes/sec
 * fragflushes/sec
 * fragtimeouts
 * fragfaults
 * %user-cpu usage
 * %sys-cpu usage
 * %idle-cpu usage
 */



On Fri, 22 Oct 2004 13:04:23 +0900, Basselgia, Barry A Mr (NAF Atsugi)
<babasselgia () atsugi navy mil> wrote:

So, it looks like field 2 is the % dropped packets.  The problem actually
seems to be in the dropped packets counter.  It claims I dropped more then

100 Billion packets, when I only received 1944.

Must be a bug in the performance counter.  Anyone have any ideas?

Barry


---------------------------------------------------------
This message has been scanned for viruses and dangerous
content by the NAF Atsugi MailScanner.


---------------------------------------------------------
This message has been scanned for viruses and dangerous
content by the NAF Atsugi MailScanner.




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 21)
- <Possible follow-ups>
- RE: Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 21)
  - Re: RE: Snort PerfMon preprocessor output sekure (Oct 22)
- RE: RE: Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 23)