Re: Performance stats

[Jason Brvenik <jasonb () sourcefire com>]

The application layer stats include the reassembled traffic. It is not
unusual to see nearly double the number for app layer since snort
inspects both reassembled and raw data. The exact ratio will depend on
the mix of TCP/UDP/ICMP traffic as well as average packet sizes and rate.

sekure wrote:
> I was wondering if someone could elaborate on the differences between
> the application layer and wire counters in Snort stats.  Why would i
> sometimes see almost twice the application layer throughput in Mbps
> than on the wire?
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users