[Snort-devel] snort statistics 1.9.0 <-> 1.8.7

Chris Green cmg at ...835...
Wed Oct 16 16:12:02 EDT 2002


Jens Krabbenhoeft <tschenz-snort-devel at ...1606...> writes:

> Hi all,
>
>   I realized that the snort statistics (via USR1 in -D mode, or after
> CTRL-C in non-daemon mode) are calculated differently in snort 1.9 and
> 1.8.7.
>
> The code-snippets show:
>
> 1.9.0:
>     LogMessage("Snort analyzed %d out of %d packets, ", 
>             ps.ps_recv, ps.ps_recv+ps.ps_drop);
>  
> 1.8.7:
>     LogMessage("Snort analyzed %ld out of %d packets, ", 
>             (unsigned long) recv, ps.ps_recv);
>
> So the total number of packets is in 1.9.0 the number of "ps_recv" plus
> "ps_drop", in 1.8.7 just ps_recv.
>

I need to go investigate why ps drop came in.  I think it's because of
Phil wood :)  Perhaps it's my fault for not removing the addition in
the recv...

Flagged to my todo list :)

> After having a look into libpcap (0.7.1 linux), I found the following:
>
>     * When the statistics are returned for a PACKET_STATISTICS
>     * "getsockopt()" call, "tp_drops" is added to "tp_packets",
>     * so that "tp_packets" counts all packets handed to
>     * the PF_PACKET socket, including packets dropped because
>     * there wasn't room on the socket buffer - but not
>     * including packets that didn't pass the filter.
>
> Thus snort 1.8.7 reports the correct number of received packets (when i
> tcpreplay a pcap file with 997083 packets, snort reports 997083 received
> packets), whereas 1.9.0 reports more packets than 997083 as received
> ones, because it adds the number of dropped packets onto them once
> again. So after having replayed the mentioned pcap-file I got following
> output:
>
> Snort analyzed 997083 out of 1602036 packets, dropping 604953(37.762%) packets
> (the summary-statistics for the protocols summed up roughly give the
> difference between 997083 and 604953).
>
> Is this a known bug - or not a bug but a feature, or better to say, the
> way snort(-developers) see the sense of ps_recv/ps_drop (I know, that
> pcap-implementations on different platforms handle ps_recv/ps_drop
> differently :|)?
>
> Regards,
>
> 	Jens
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-- 
Chris Green <cmg at ...402...>
Eschew obfuscation.




More information about the Snort-devel mailing list