Snort mailing list archives

Re: 100% Outstanding - what does that mean?

From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 9 Aug 2010 16:59:52 -0400

On Mon, Aug 9, 2010 at 4:47 PM, Bryan Arenal <b.arenal () gmail com> wrote:

On Mon, Aug 9, 2010 at 09:14, Russ Combs <rcombs () sourcefire com> wrote:



On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenal () gmail com>

wrote:


I just set up a new sensor and when checking its performance
statistics, I am seeing a couple of the interfaces with Outstanding at
100%.  Here's the output from one of the interfaces:

Aug  9 06:56:54 spock snort[1536]:

===============================================================================

Aug  9 06:56:54 spock snort[1536]: Packet I/O Totals:
Aug  9 06:56:54 spock snort[1536]:    Received:    202781012
Aug  9 06:56:54 spock snort[1536]:    Analyzed:            0 (  0.000%)
Aug  9 06:56:54 spock snort[1536]:     Dropped:            0 (  0.000%)
Aug  9 06:56:54 spock snort[1536]:    Filtered:            0 (  0.000%)
Aug  9 06:56:54 spock snort[1536]: Outstanding:    202781012 (100.000%)
Aug  9 06:56:54 spock snort[1536]:    Injected:            0
Aug  9 06:56:54 spock snort[1536]:

===============================================================================


What exactly does that mean?  A google search shows a February email
from Matt Watchinski saying, "Outstanding means that packets never got
out of the ethernet card before they got dropped.  IE pcap didn't get
to them before they disappeared."  But the README.counts in the 2.9.0
beta documentation says "Outstanding indicates how many packets are
buffered awaiting processing."  So I suppose I'm a bit confused.  If
they're buffered, pcap has gotten to them, correct?  Can I see why
100% of them are buffered and not processing?


The DAQ changes things up a little with 2.9.0.  Which DAQ are you using

and

how is it configured?


That was actually a test box and I haven't done any additional
configuration to DAQ but I do see the same thing on one of my other
machines that's running 2.8.6.1.  And CPU utilization on that snort
process is near 0%.

Aug  9 11:23:33 spock snort[13693]:

===============================================================================
Aug  9 11:23:33 spock snort[13693]: Packet Wire Totals:
Aug  9 11:23:33 spock snort[13693]:    Received:    149221835
Aug  9 11:23:33 spock snort[13693]:    Analyzed:            0 (0.000%)
Aug  9 11:23:33 spock snort[13693]:     Dropped:         2338 (0.002%)
Aug  9 11:23:33 spock snort[13693]: Outstanding:    149219497 (99.998%)
Aug  9 11:23:33 spock snort[13693]:

===============================================================================

But other processes running on other interfaces are reporting normal
stats.  Looks like it's just regular HTTP traffic and not a whole lot
at that.


Can you send the snort command line and any DAQ config daq_*  or config
bpf_* stuff from your conf?

Also, please confirm that all your protocol breakdown counts are zero.

If you can reproduce this without a conf, you should see something like this
at start up:

$ sudo ./snort ip6
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: ip6
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0 IPv6 GRE (Build 48)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

Can you send the equivalent?

And thanks for the humor Justin and Marty! :-)

Regards,

Bryan

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

100% Outstanding - what does that mean? Bryan Arenal (Aug 09)
- Re: 100% Outstanding - what does that mean? Russ Combs (Aug 09)
  - Re: 100% Outstanding - what does that mean? Bryan Arenal (Aug 09)
    - Re: 100% Outstanding - what does that mean? Russ Combs (Aug 09)
    - Re: 100% Outstanding - what does that mean? Bryan Arenal (Aug 09)
    - Re: 100% Outstanding - what does that mean? Russ Combs (Aug 09)
- Re: 100% Outstanding - what does that mean? Justin Heath (Aug 09)
  - Re: 100% Outstanding - what does that mean? Martin Roesch (Aug 09)