Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Performance Monitor and "Dropped Rate" Statistic

From: Mike Lococo <mikelococo () gmail com>
Date: Thu, 12 Aug 2010 19:06:20 -0400
Hi Folks,

The "Dropped Rate" statistics (print $2 in awk) output by the
Performance Monitor preprocessor appear to be averaged over the lifetime
of the snort process.  Is there a way to get drop statistics averaged
over the PerfMon data-collection period instead?

What I've tried so far:

   1) Calculating the drop rate myself based on "Total Packets
   Received" (field $46), "Total Packets Dropped" (field $47), and my
   knowledge of the averaging period.  It's possible, but awkward
   compared to the ease with which one obtains other values from
   PerfMon.  Since the packet-drop rate is probably the one stat most
   folks want, it should be dead-easy to get.

   2) Tried dumping "Percentage of Packets Dropped" (field $49).  On my
   Snort 2.8.6 system running kernel 2.6.18-194.3.1.el5 and libpcap
   1.1.1, this field is always zero.  $2 is not zero for the periods in
   question.

   3) I haven't yet tried flipping the perfmon option "accumulate" vs
   "reset" away from the default.  After reading the manual, I'm not
   sure what this option does and it takes a couple of days to generate
   meaningful drop data... so I haven't tried this yet.  Anyone have a
   sense of what the effect of this option is?

In my opinion, snort should _by default_ average the drop rates over the
perfmon data-collection period instead of the process-lifetime.  A
shorter averaging period is more useful since the data can be compared
against packet/bandwidth rates and other time-based data.  It's also
less likely to mislead folks into believing that a low-average rate
means that their sensor never dropping a large fraction of packets.

Cheers,
Mike Lococo

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: