Snort mailing list archives
Re: profiling
From: "Carter Waxman (cwaxman)" <cwaxman () cisco com>
Date: Fri, 4 Apr 2014 15:37:43 +0000
Percent of total indicates the percentage of time spent in the particular preprocessor / phase of detection. If you add all of the values together, then you will get a value greater than 100. Processing is performed using a hierarchy, so percent of total will include time for the layer + time spent in sub-layers. Layer simply refers to the depth of calls. For example, for s5TcpData, the call hierarchy is s5->s5tcp->s5TcpState (layer 0->1->2). This should help clarify things: https://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pd f On 4/4/14 10:43 AM, "simegnew yihunie" <syihunie () gmail com> wrote:
Thanks. do you have any idea about the column percent of total and layer stands for. it is more than 100 when I add all. Sincerely, Sy. On 4/3/14, Carter Waxman (cwaxman) <cwaxman () cisco com> wrote:Hello, You are correct. All of the statistics you listed track Stream5. -Carter On 4/3/14 10:33 AM, "simegnew yihunie" <syihunie () gmail com> wrote:Hey Guys, I enabled profile enabling of preprocessors and test the snort. In the table there are s5, s5tcpState, s5tcpFlush, s5tcpProcessRebuilt, s5tcpBuildPacket, s5tcpData,s5tcpPacketInsert, s5tcpNewSess. Are all these stream preprocessors or other? Any one who have any idea about this preprocessors layer ? Sincerely, S.y ------------------------------------------------------------------------ -- ---- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- profiling simegnew yihunie (Apr 03)
- <Possible follow-ups>
- profiling simegnew yihunie (Apr 03)
- Re: profiling Carter Waxman (cwaxman) (Apr 03)
- Message not available
- Re: profiling Carter Waxman (cwaxman) (Apr 04)
- Re: profiling Carter Waxman (cwaxman) (Apr 03)
- profiling simegnew yihunie (Apr 03)