[Snort-devel] Regarding Version 1.8.7beta5 (Build 127) and Version 1.9-dev (Build 160)

Phil Wood cpw at ...86...
Fri Jun 21 09:06:03 EDT 2002


Has anyone reported abnormal packet loss caused by excessive processing with
these versions?  

I don't have a parallel full tcpdump to show what kind of data is involved.
I do have 10 second stats as well as a stat record for each session for the
same time period (no packet loss, but the stat app just collects the first
68 bytes of each packet [unfortunately all I get in the end is a summary of
each unique session]).  The overall load is not significant (its data
collected between midnight and around 7:15 am this morning).  However, the
pcap statistics show a change from ~600 pps to ~40,000 pps.

Hmmm, below are 2 session stat records which show what's happening.  I would
hazard a guess that I just don't have a fast enough system.  And, I 
bothered you with a normal event which I'm going to bpf away.

starttime         sip          sprt  dip          dprt     topkts tobytes   from..  delta seconds

1024640392.223393 10.79.240.12 38337 192.168.19.2 5031 tcp 178445 257962595 75378 0 14.937221
1024640392.223864 10.79.240.12 38338 192.168.19.2 5031 tcp 178440 257959699 75803 0 14.905042

That comes to about 277 Mbits per second caused by two simultaneous transfers
lasting around 15 seconds all in the name of testing throughput.  No wonder
I lost some packets.  Too bad it takes such a toll.

Snort Version 1.8.7beta5 (Build 127) displayed the following on termination.

Snort analyzed 22212404 out of 23558150 packets, The kernel dropped 1289375(5.473%) packets

Breakdown by protocol:                Action Stats:
    TCP: 21085045   (89.502%)         ALERTS: 13918     
    UDP: 731970     (3.107%)          LOGGED: 11523     
   ICMP: 184379     (0.783%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 186311     (0.791%)
DISCARD: 0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 137378     (0.583%)
    Fragment Trackers: 56328     
   Rebuilt IP Packets: 56308     
   Frag elements used: 137330    
Discarded(incomplete): 0         
   Discarded(timeout): 56324     
  Frag2 memory faults: 11        
===============================================================================
TCP Stream Reassembly Stats:
        TCP Packets Used: 21084618   (89.500%)
         Stream Trackers: 319728    
          Stream flushes: 189104    
           Segments used: 274301    
   Stream4 Memory Faults: 0         
===============================================================================

My pcap stats show:

# pstats bg20020621.0000.stats
S: 09:15:30, 22268775 packets processed at 706.66 pps in 33325 seconds, with 1289375 drops.

for the same period.   I guess I gotta look at how all those numbers get
calculated again.

Later,

Phil




More information about the Snort-devel mailing list