Snort mailing list archives
Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6
From: Dheeraj Gupta <dheeraj.gupta4 () gmail com>
Date: Mon, 14 Dec 2015 11:30:00 +0530
Hi,
I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the upgrade one
of my sensors showed (somewhat expected) packet drops. However, after the
upgrade the packet drop increased significantly even though the number of
rules decreased (as SO rules are not in use with 2.9.8.0). I am still using
Snort-2.9.7.6 rulesets (as advised by you).
Here is a snip from my snort.stats file for 2.9.8.0
#time,pkt_drop_percent,wire_mbits_per_sec.realtime
1450068900,33.873,124.415
1450069200,23.718,121.253
1450069500,26.014,120.349
1450069800,26.368,120.821
1450070100,23.706,116.493
1450070400,21.039,121.363
For Snort-2.9.7.6, the snip is
#time,pkt_drop_percent,wire_mbits_per_sec.realtime
1450071180,0.000,79.159
1450071480,0.000,118.671
1450071780,2.146,132.186
1450072080,8.337,130.408
Looking at end-of-snort stats. This is for 2.9.8.0
Packet I/O Totals:
Received: 804563792
Analyzed: 388361098 ( 48.270%)
Dropped: 298207658 ( 27.042%)
Filtered: 415840607 ( 51.685%)
Outstanding: 362087 ( 0.045%)
Injected: 0
And this is for 2.9.7.6
Packet I/O Totals:
Received: 60969886
Analyzed: 30035104 ( 49.262%)
Dropped: 742645 ( 1.203%)
Filtered: 30927585 ( 50.726%)
Outstanding: 7197 ( 0.012%)
Injected: 0
I have a longish BPF filter, so is the filtered count an indication of the
amount of traffic which was filtered by that filter?
Also is dropped count a subset of analyzed count or received count? I ask
this because it appears
received_count = analyzed + filtered
so dropped_count doesn't really fit in
Regards,
Dheeraj
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 13)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Nageswara Rao A.V.K (navk) (Dec 14)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 14)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 16)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Nageswara Rao A.V.K (navk) (Dec 16)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 16)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 18)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Dheeraj Gupta (Dec 14)
- Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6 Nageswara Rao A.V.K (navk) (Dec 14)