Re: 100% Outstanding - what does that mean?

[Martin Roesch <roesch () sourcefire com>]

That's exactly what I was thinking... ;)


On Mon, Aug 9, 2010 at 11:16 AM, Justin Heath <justin.heath () gmail com> wrote:
> That means that it's really, really good. In fact, you could say that
> it's outstanding! :)
>
> On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenal () gmail com> wrote:
> > I just set up a new sensor and when checking its performance
> > statistics, I am seeing a couple of the interfaces with Outstanding at
> > 100%.  Here's the output from one of the interfaces:
> >
> > Aug  9 06:56:54 spock snort[1536]:
> > ===============================================================================
> > Aug  9 06:56:54 spock snort[1536]: Packet I/O Totals:
> > Aug  9 06:56:54 spock snort[1536]:    Received:    202781012
> > Aug  9 06:56:54 spock snort[1536]:    Analyzed:            0 (  0.000%)
> > Aug  9 06:56:54 spock snort[1536]:     Dropped:            0 (  0.000%)
> > Aug  9 06:56:54 spock snort[1536]:    Filtered:            0 (  0.000%)
> > Aug  9 06:56:54 spock snort[1536]: Outstanding:    202781012 (100.000%)
> > Aug  9 06:56:54 spock snort[1536]:    Injected:            0
> > Aug  9 06:56:54 spock snort[1536]:
> > ===============================================================================
> >
> > What exactly does that mean?  A google search shows a February email
> > from Matt Watchinski saying, "Outstanding means that packets never got
> > out of the ethernet card before they got dropped.  IE pcap didn't get
> > to them before they disappeared."  But the README.counts in the 2.9.0
> > beta documentation says "Outstanding indicates how many packets are
> > buffered awaiting processing."  So I suppose I'm a bit confused.  If
> > they're buffered, pcap has gotten to them, correct?  Can I see why
> > 100% of them are buffered and not processing?
> >
> > Regards,
> >
> > Bryan
> >
> > ------------------------------------------------------------------------------
> > This SF.net email is sponsored by
> >
> > Make an app they can't live without
> > Enter the BlackBerry Developer Challenge
> > http://p.sf.net/sfu/RIM-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users