Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Looooots of "Outstanding" and "Analyzed" packets - counter wrap ?

From: Andreas Maus <maus () ypbind de>
Date: Thu, 23 Nov 2006 19:34:18 +0100
Hi.

I was asked (off-list) to provide some additional informations,
esp. the packet counters from the OS.

debian3164m:~# netstat -ni 
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500 0    413593      0      0      0  287444      0      0      0 ABMRU
lo    16436 0     78789      0      0      0   78789      0      0      0 LRU

[... several hours later ...]
debian3164m:~# netstat -ni ; pkill snort
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500 0    424152      0      0      0  289605      0      0      0 ABMRU
lo    16436 0     84348      0      0      0   84348      0      0      0 LRU

I am snorting on eth0 (non promiscous). So after 12720 packets
(10559 receiving and 2161 transmitting) I killed snort
and as packet statistics it gave:
Snort ran for 0 Days 12 Hours 10 Minutes 16 Seconds
Packet analysis time averages:

Snort Analyzed 30 Packets Per Hour
Snort Analyzed 0 Packets Per Minute
Snort Analyzed 0 Packets Per Second

Snort received 367 packets
Analyzed: 12715(3464.577%)
Dropped: 0(0.000%)
Outstanding: 4294954948(5026360781529153536.000%)
===============================================================================
Breakdown by protocol:
TCP: 3799 (29.878%)
UDP: 736 (5.788%)
ICMP: 189 (1.486%)
ARP: 7991 (62.847%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 20
LOGGED: 20
PASSED: 0
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 3799 (29.878%)
Stream Trackers: 164
Stream flushes: 619
Segments used: 1395
Segments Queued: 1397
Stream4 Memory Faults: 0
===============================================================================
Snort exiting

This weird number also occur if I request this statistics via SIGUSR1.
And again I will get a reasonable number of outstanding (whats are
outstanding packets ?) if I subtract the snorts number of outstanding
packets from 2^32 (2**32 - 4294954948 = 12348).

Any hints/clues ?

Thanks,

Andreas.

P.S.: Of course I will try the fresh and shiny new snort released
yesterday.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: