Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Packet I/O Totals section

From: elof () sentor se
Date: Wed, 16 Jul 2014 17:41:29 +0200 (CEST)

When stopping snort, or dumping stats, you get this section:

===============================================================================
Packet I/O Totals:
    Received:   wwwwwww
    Analyzed:   xxxxxxx ( 99.811%)
     Dropped:   yyyyyyy (  0.730%)
    Filtered:         0 (  0.000%)
Outstanding:   zzzzzzz (  0.189%)
    Injected:         0
===============================================================================

Filtered is not supported by the pcap DAQ, so 0.
Injected is 0 since I'm not running in inline mode.

No questions about these two. But...


1) Exactly where is the Received value coming from?
Is it an internal counter of *actually received packets* within snort, or 
is this value supplied by the daq-system, bpf-system or simillar?

2) I guess analyzed is the amount of packets from the received ones that 
actually made it all the way through snort processing. Correct? ...or is 
this aquired elsewhere?

3) Dropped seem to be the reported drop count from the bpf-system. This 
should mean that Dropped = "Capture drops (drops outside of snort)". 
Correct?

4) Outstanding seem to simply be Received minus Analyzed. Correct?



I get very confusing numbers, that's why I'm asking.
When I have descriptions of what the values should be, I can create a 
future bug report, if needed.


So, for the four titles above, can I have a short description of what they 
truly are and where the values come from?

/Elof

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: