Re: Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6

[Dheeraj Gupta <dheeraj.gupta4 () gmail com>]

Hi,

I am also confused about the drop count. This is what I got after a
separate brief snort run (on a different machine)

===============================================================================
Run time for packet processing was 497.799669 seconds
Snort processed 7139620 packets.
Snort ran for 0 days 0 hours 8 minutes 17 seconds
   Pkts/min:       892452
   Pkts/sec:        14365

===============================================================================
Packet I/O Totals:
   Received:     14977160
   Analyzed:      7139620 ( 47.670%)
    Dropped:     11666105 ( 43.786%)
   Filtered:      7046472 ( 47.048%)
Outstanding:       791068 (  5.282%)
   Injected:            0
===============================================================================

The totals and percentages do not tally. Can someone explain how filtered,
received, analyzed and dropped numbers should be interpreted?

Regards,
Dheeraj

On Thu, Dec 17, 2015 at 11:46 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>
wrote:

> Hi,
>
> The test was run for the same PCAP so number of packets is same in both
> cases (9220233). The packet I/O totals as output by two snorts are:
>
> Snort-2.9.8.0
> ------------------------
>
> ===============================================================================
> Run time for packet processing was 783.512468 seconds
> Snort processed 9220233 packets.
> Snort ran for 0 days 0 hours 13 minutes 3 seconds
>    Pkts/min:       709248
>    Pkts/sec:        11775
>
> ===============================================================================
>
> ===============================================================================
> Packet I/O Totals:
>    Received:      9220233
>    Analyzed:      9220233 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
>
> ===============================================================================
>
>
> Snort-2.9.7.6
> -----------------------
>
>
> ===============================================================================
> Run time for packet processing was 547.131014 seconds
> Snort processed 9220233 packets.
> Snort ran for 0 days 0 hours 9 minutes 7 seconds
>    Pkts/min:      1024470
>    Pkts/sec:        16856
>
> ===============================================================================
>
> ===============================================================================
> Packet I/O Totals:
>    Received:      9220233
>    Analyzed:      9220233 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
>
> ===============================================================================
>
> Again as the test is against a static PCAP, there will be no drops.
> However, in this test Snort-2.9.8.0 is almost 30% slower (processes about
> 11.7K pkts/s as against 16.8K pkts/s) than Snort-2.9.7.6. When used with
> live traffic, wouldn't this cause increased packet drops?
>
> Regards,
> Dheeraj
>
> On Wed, Dec 16, 2015 at 8:02 PM, Nageswara Rao A.V.K (navk) <
> navk () cisco com> wrote:
>
> > You did not provide “Packet I/O Totals:” for this test.
> >
> > We have to compare that data.
> >
> >
> >
> > I don’t think previous stats will applicable here.
> >
> > Because the number of pkts are different here.
> >
> >
> >
> > Best Regards,
> >
> > -ANR
> >
> >
> >
> > *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 () gmail com]
> > *Sent:* Wednesday, December 16, 2015 5:16 PM
> > *To:* Nageswara Rao A.V.K (navk)
> > *Cc:* snort-devel () lists sourceforge net
> > *Subject:* Re: [Snort-devel] Large Packet Drop with SNort-2.9.80 as
> > compared to Snort-2.9.7.6
> >
> >
> >
> > Hi,
> >
> > I captured a large PCAP (6.6G ~9M packets) and analyzed it through both
> > Snort-2.9.7.6 and 2.9.8.0 with almost identical configuration file (memcap
> > etc.). Since SO rules for Snort-2.9.7.6 cannot be used with 2.9.8.0, so
> > number of rules for 2.9.8.0 was less (about 11k) as compared to 2.9.7.6
> > (12k).
> >
> > Here is a summary of end of run stats
> >
> > Snort-2.9.7.6
> >
> >
> > ===============================================================================
> > Run time for packet processing was 547.131014 seconds
> > Snort processed 9220233 packets.
> > Snort ran for 0 days 0 hours 9 minutes 7 seconds
> >    Pkts/min:      1024470
> >    Pkts/sec:        16856
> >
> > ===============================================================================
> >
> > Snort-2.9.8.0
> >
> > ===============================================================================
> > Run time for packet processing was 783.512468 seconds
> > Snort processed 9220233 packets.
> > Snort ran for 0 days 0 hours 13 minutes 3 seconds
> >    Pkts/min:       709248
> >    Pkts/sec:        11775
> >
> > ===============================================================================
> >
> > snort.conf is attached
> >
> >
> >
> > On Tue, Dec 15, 2015 at 10:03 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>
> > wrote:
> >
> > Hi,
> >
> > The traffic is captured from a live interface, so it is not exactly same.
> > However, it is from the same network and same network filter over a
> > contiguous time range. So, characteristics of the trafic are broadly the
> > same i.e. most of it is user browsing data. The reason I wrote this e-mail
> > is because on a weekday, we have an average 100-150 Mbps on the wire and
> > Snort-2.9.7.6 reported less losses (<10%). However, Snort-2.9.8.0 reported
> > over 40% drops with comparable traffic load/pattern.
> >
> > Snort logs do not have any additional entry apart from session pruned due
> > to timeout/stale (same in both cases).
> >
> > Regards,
> >
> > Dheeraj
> >
> >
> >
> > On Tue, Dec 15, 2015 at 8:43 AM, Nageswara Rao A.V.K (navk) <
> > navk () cisco com> wrote:
> >
> > Hi Dheeraj,
> >
> >    We need more info to get in to conclusion.
> >
> >
> >
> > Are you passing same traffic in both scenario’s??
> >
> >
> >
> > Did you verify snort logs ??
> >
> > You may know the reason for pkt drops.
> >
> >
> >
> > We did not notice this problems in our observation.
> >
> > More details may help us to analyze the problem.
> >
> >
> >
> > Best Regards,
> >
> > -ANR
> >
> >
> >
> > *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 () gmail com]
> > *Sent:* Monday, December 14, 2015 11:30 AM
> > *To:* snort-devel () lists sourceforge net
> > *Subject:* [Snort-devel] Large Packet Drop with SNort-2.9.80 as compared
> > to Snort-2.9.7.6
> >
> >
> >
> > Hi,
> >
> > I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the upgrade
> > one of my sensors showed (somewhat expected) packet drops. However, after
> > the upgrade the packet drop increased significantly even though the number
> > of rules decreased (as SO rules are not in use with 2.9.8.0). I am still
> > using Snort-2.9.7.6 rulesets (as advised by you).
> >
> > Here is a snip from my snort.stats file for 2.9.8.0
> >
> > #time,pkt_drop_percent,wire_mbits_per_sec.realtime
> > 1450068900,33.873,124.415
> > 1450069200,23.718,121.253
> > 1450069500,26.014,120.349
> > 1450069800,26.368,120.821
> > 1450070100,23.706,116.493
> > 1450070400,21.039,121.363
> >
> > For Snort-2.9.7.6, the snip is
> > #time,pkt_drop_percent,wire_mbits_per_sec.realtime
> > 1450071180,0.000,79.159
> > 1450071480,0.000,118.671
> > 1450071780,2.146,132.186
> > 1450072080,8.337,130.408
> >
> >
> >
> > Looking at end-of-snort stats. This is for 2.9.8.0
> >
> > Packet I/O Totals:
> >    Received:    804563792
> >    Analyzed:    388361098 ( 48.270%)
> >     Dropped:    298207658 ( 27.042%)
> >    Filtered:    415840607 ( 51.685%)
> >    Outstanding:       362087 (  0.045%)
> >    Injected:            0
> >
> > And this is for 2.9.7.6
> >
> > Packet I/O Totals:
> >    Received:     60969886
> >    Analyzed:     30035104 ( 49.262%)
> >     Dropped:       742645 (  1.203%)
> >    Filtered:     30927585 ( 50.726%)
> >    Outstanding:         7197 (  0.012%)
> >    Injected:            0
> >
> > I have a longish BPF filter, so is the filtered count an indication of
> > the amount of traffic which was filtered by that filter?
> >
> > Also is dropped count a subset of analyzed count or received count? I ask
> > this because it appears
> >
> > received_count = analyzed + filtered
> >
> > so dropped_count doesn't really fit in
> >
> >
> >
> > Regards,
> >
> > Dheeraj
------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!