[Snort-devel] snort statistics 1.9.0 <-> 1.8.7
cmg at ...835...
Wed Oct 16 16:12:02 EDT 2002
Jens Krabbenhoeft <tschenz-snort-devel at ...1606...> writes:
> Hi all,
> I realized that the snort statistics (via USR1 in -D mode, or after
> CTRL-C in non-daemon mode) are calculated differently in snort 1.9 and
> The code-snippets show:
> LogMessage("Snort analyzed %d out of %d packets, ",
> ps.ps_recv, ps.ps_recv+ps.ps_drop);
> LogMessage("Snort analyzed %ld out of %d packets, ",
> (unsigned long) recv, ps.ps_recv);
> So the total number of packets is in 1.9.0 the number of "ps_recv" plus
> "ps_drop", in 1.8.7 just ps_recv.
I need to go investigate why ps drop came in. I think it's because of
Phil wood :) Perhaps it's my fault for not removing the addition in
Flagged to my todo list :)
> After having a look into libpcap (0.7.1 linux), I found the following:
> * When the statistics are returned for a PACKET_STATISTICS
> * "getsockopt()" call, "tp_drops" is added to "tp_packets",
> * so that "tp_packets" counts all packets handed to
> * the PF_PACKET socket, including packets dropped because
> * there wasn't room on the socket buffer - but not
> * including packets that didn't pass the filter.
> Thus snort 1.8.7 reports the correct number of received packets (when i
> tcpreplay a pcap file with 997083 packets, snort reports 997083 received
> packets), whereas 1.9.0 reports more packets than 997083 as received
> ones, because it adds the number of dropped packets onto them once
> again. So after having replayed the mentioned pcap-file I got following
> Snort analyzed 997083 out of 1602036 packets, dropping 604953(37.762%) packets
> (the summary-statistics for the protocols summed up roughly give the
> difference between 997083 and 604953).
> Is this a known bug - or not a bug but a feature, or better to say, the
> way snort(-developers) see the sense of ps_recv/ps_drop (I know, that
> pcap-implementations on different platforms handle ps_recv/ps_drop
> differently :|)?
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Chris Green <cmg at ...402...>
More information about the Snort-devel