[Snort-devel] number of packets processed is mis-calculated under Linux

Bart Haagdorens Bart.Haagdorens at ...2220...
Mon Dec 8 07:58:00 EST 2003


Hi,

I want to report a bug in snort's statistics display when processing 'live'
traffic on a Linux platform. 

The problem is due to the interpretation of ps_recv and ps_drop returned by
pcap-stats. In the libpcap 0.7.2 sourcecode for Linux (pcap-linux.c), line
664, an interesting comment describes the correct interpretation of theses
numbers:

 ps_recv "counts all packets handed to the PF_PACKET socket, including
packets dropped because there wasn't room on the socket buffer (...)"
 ps_drop "is incremented for every packet dropped because there's not enough
free space in the socket buffer."

So, the total number of packets that passes the filter is (ps_recv), the
number of packets dropped is (ps_drop) and the number of packets that is put
into the socket buffer is (ps_recv-ps_drop). We verified this interpretation
with some experiments on live traffic.

The interpretation in snort 2.0.5, util.c, line 917 is clearly wrong:

            LogMessage("Snort analyzed %d out of %d packets, ", 
                    ps.ps_recv, ps.ps_recv+ps.ps_drop);

            if(ps.ps_recv)
            {
                LogMessage("dropping %d(%.3f%%) packets\n\n", 
                        ps.ps_drop, 
                        CalcPct( (float) ps.ps_drop, (float)
(ps.ps_recv+ps.ps_drop) ));
            }

The number of dropped packets is already included in ps_recv, but it is
added once again! So the statistics count the dropped packets twice, which
can be very confusing.

Correct would be:

            LogMessage("Snort analyzed %d out of %d packets, ", 
                    ps.ps_recv-ps.ps_drop, ps.ps_recv);

            if(ps.ps_recv)
            {
                LogMessage("dropping %d(%.3f%%) packets\n\n", 
                        ps.ps_drop, 
                        CalcPct( (float) ps.ps_drop, (float) (ps.ps_recv)
));
            }

I don't know how the numbers should be handled on other platforms, but for
Linux the current interpretation is clearly mistaken.

Regards,

Bart Haagdorens

_________________________________
Bart Haagdorens
Vrije Universiteit Brussel
TW-INFO
Pleinlaan 2
B-1050 Brussels
Belgium

bart.haagdorens at ...2220...

Tel: +32 2 629 24 94
GSM: +32 477 69 77 21








More information about the Snort-devel mailing list