[Snort-devel] snort statistics 1.9.0 <-> 1.8.7

Jens Krabbenhoeft tschenz-snort-devel at ...1606...
Tue Oct 8 02:25:04 EDT 2002


Hi all,

  I realized that the snort statistics (via USR1 in -D mode, or after
CTRL-C in non-daemon mode) are calculated differently in snort 1.9 and
1.8.7.

The code-snippets show:

1.9.0:
    LogMessage("Snort analyzed %d out of %d packets, ", 
            ps.ps_recv, ps.ps_recv+ps.ps_drop);
 
1.8.7:
    LogMessage("Snort analyzed %ld out of %d packets, ", 
            (unsigned long) recv, ps.ps_recv);

So the total number of packets is in 1.9.0 the number of "ps_recv" plus
"ps_drop", in 1.8.7 just ps_recv.

After having a look into libpcap (0.7.1 linux), I found the following:

    * When the statistics are returned for a PACKET_STATISTICS
    * "getsockopt()" call, "tp_drops" is added to "tp_packets",
    * so that "tp_packets" counts all packets handed to
    * the PF_PACKET socket, including packets dropped because
    * there wasn't room on the socket buffer - but not
    * including packets that didn't pass the filter.

Thus snort 1.8.7 reports the correct number of received packets (when i
tcpreplay a pcap file with 997083 packets, snort reports 997083 received
packets), whereas 1.9.0 reports more packets than 997083 as received
ones, because it adds the number of dropped packets onto them once
again. So after having replayed the mentioned pcap-file I got following
output:

Snort analyzed 997083 out of 1602036 packets, dropping 604953(37.762%) packets
(the summary-statistics for the protocols summed up roughly give the
difference between 997083 and 604953).

Is this a known bug - or not a bug but a feature, or better to say, the
way snort(-developers) see the sense of ps_recv/ps_drop (I know, that
pcap-implementations on different platforms handle ps_recv/ps_drop
differently :|)?

Regards,

	Jens




More information about the Snort-devel mailing list