[Snort-devel] perfmon avg bytes/pkt columns misaligned

Lee Clemens snort at ...2953...
Wed Mar 4 10:41:04 EST 2009


Using Snort 2.8.3.2, I have found the code in perf-base.c which confirms
what I am seeing in the output.

I believe one of these two changes will correct the discrepancy:

Solution 1:
Update the comment and manual to reflect the app layer statistics being
logged twice:

1147,1148c1147,1148
<  * K-Packets/Sec (wire)
<  * Avg Bytes/Pkt  (wire)
---
>  * K-Packets/Sec (app layer)
>  * Avg Bytes/Pkt  (app layer)


Solution 2:
Log the wire stats twice:

1222,1223c1222,1223
<                 sfBaseStats->kpackets_per_sec.realtime,
<                 sfBaseStats->avg_bytes_per_packet,
---
>                 sfBaseStats->kpackets_wire_per_sec.realtime,
>                 sfBaseStats->avg_bytes_per_wire_packet,



Original Post to Snort-Users:

-----Original Message-----
From: Lee Clemens [mailto:snort at ...2953...] 
Sent: Friday, February 27, 2009 8:00 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] perfmon avg bytes/pkt columns misaligned?

Hello all,

I am using Snort 2.8.3.1 and 2.8.3.2 with the perfmon preprocessor and I
noticed something strange with the output while calculating R-squared values
with my drop rate.

The columns 'Avg Bytes/Pkt (wire)' (1st one) and 'Avg Bytes/Pkt (applayer)'
seem to be identical.

The second 'Avg Bytes/Pkt (wire)' is different from both of these.

The 2.8.3 manual states "Avg Bytes/Pkt (wire) [duplicated below for easy
comparison with other rates]" for the first 'Avg Bytes/Pkt'.

However, it seems to be a duplicate of 'Avg Bytes/Pkt (applayer)' instead.

Am I reading this correctly, or is the wrong value being duplicated in this
first column (column G or the first 'Avg Bytes/Pkt (wire)')?  

The second 'Avg Bytes/Pkt (wire)' seems to be correct (95% stats are less
than 'Avg Bytes/Pkt (applayer)' and never over by more than 6 pkts).

I also see 18 columns which are not described in the 2.8.3 manual, but none
of them are close to matching either of the Avg Bytes/Pkt stats.

Lee







More information about the Snort-devel mailing list