Re: Possible bug in perfmonitor: pkt_drop_percent

[Dheeraj Gupta <dheeraj.gupta4 () gmail com>]

In continuation, here's an untested partial patch which assumes drops are
calculated based on packets received by hardware.


On Thu, Aug 25, 2016 at 4:29 PM, Dheeraj Gupta <dheeraj.gupta4 () gmail com>
wrote:

> Hi,
>
> I had earlier written to this list to report large packet drops in 2.9.8.x
> (https://sourceforge.net/p/snort/mailman/snort-devel/thread/
> CAOsL98NEqzDEXVH6d2Cu8cbrD-i6MWJ_fHcYZdL9ZS6w3PKMYw%
> 40mail.gmail.com/#msg34692462)
>
> I got hit with this again after upgrade to 2.9.8.3 from 2.9.7.6 in one of
> my heavier sensors. The pkt drops as reported in snort.stats file (by
> perfmonitor) is a mind boggling 70-80%. Despite putting BPF filters (which
> reduced the packets snort sees), the drop rate did not reduce a bit.
>
> Here is the end of session totals seen in snort when filter is in effect
>
> Snort processed 4225228 packets.
> Snort ran for 0 days 0 hours 8 minutes 37 seconds
>    Pkts/min:       528153
>    Pkts/sec:         8172
>
> ========================================================
> Packet I/O Totals:
>    Received:     35543908
>    Analyzed:      4225228 ( 11.887%)
>     Dropped:     13258753 ( 27.168%)
>    Filtered:     30643474 ( 86.213%)
> Outstanding:       675206 (  1.900%)
>    Injected:            0
> =========================================================
>
> However, this is what is logged in the stats file (I write it to a DB)
>
> +---------------------+------------------------------+------
> -----------------+-------------------------+
> | timestamp           | round(kpackets_wire_per_sec) |
> round(wire_traf_rate) | round(pkt_drop_percent) |
> +---------------------+------------------------------+------
> -----------------+-------------------------+
> | 2016-08-25 16:00:00 |                            8 |
> 38 |                      78 |
> | 2016-08-25 15:55:00 |                            1 |
> 4 |                      61 |
>
> While the effective drop rate is around 28%, stats file shows it as
> 75-80%!!
>
> Looking at the code, the problem becomes clearer
> - End Stats - (src/util.c:DropStats)
>   Dropped packets is hw_packets_dropeed/(hw_packets_dropped +
> hw_packets_received)*100.0
>   This means this is totally derived from hardware and Snort doesn't come
> into picture. Seems legit.
>
> - PerfMonitor - (src/preprocessors/perf-base.c:GetPktDropStats)
>   Dropped packets is calculated as hw_pkts_drop/(pkts_recv +
> hw_packets_drop)
>   Here pkts_recv is packets received by snort.
>   As large number of packets are filtered, the number of packets actually
> received by snort is less and so reported % drops are higher.
>   I think it would be better if perfmonitor also computes drop percent
> based on hw_packets_received and NOT packets_received_by_snort because
> filtered packets are not drops.
>
> Note: The gripe with slower performance in 2.9.8.x is still there. here
> are the reference stats for 2.9.7.6 for the same sensor about an hour
> earlier
>
> Snort processed 9984264 packets.
> Snort ran for 0 days 0 hours 12 minutes 52 seconds
>    Pkts/min:       832022
>    Pkts/sec:        12932
>
> =======================================================
> Packet I/O Totals:
>    Received:     52933119
>    Analyzed:      9984264 ( 18.862%)
>     Dropped:            0 (  0.000%)
>    Filtered:     42951276 ( 81.143%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
> =======================================================
>
> Regards,
> Dheeraj

Attachment: pkt_drop_percent.patch
Description:

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!