[Snort-devel] perfmon avg bytes/pkt columns misaligned
snort at ...2953...
Wed Mar 4 10:41:04 EST 2009
Using Snort 184.108.40.206, I have found the code in perf-base.c which confirms
what I am seeing in the output.
I believe one of these two changes will correct the discrepancy:
Update the comment and manual to reflect the app layer statistics being
< * K-Packets/Sec (wire)
< * Avg Bytes/Pkt (wire)
> * K-Packets/Sec (app layer)
> * Avg Bytes/Pkt (app layer)
Log the wire stats twice:
Original Post to Snort-Users:
From: Lee Clemens [mailto:snort at ...2953...]
Sent: Friday, February 27, 2009 8:00 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] perfmon avg bytes/pkt columns misaligned?
I am using Snort 220.127.116.11 and 18.104.22.168 with the perfmon preprocessor and I
noticed something strange with the output while calculating R-squared values
with my drop rate.
The columns 'Avg Bytes/Pkt (wire)' (1st one) and 'Avg Bytes/Pkt (applayer)'
seem to be identical.
The second 'Avg Bytes/Pkt (wire)' is different from both of these.
The 2.8.3 manual states "Avg Bytes/Pkt (wire) [duplicated below for easy
comparison with other rates]" for the first 'Avg Bytes/Pkt'.
However, it seems to be a duplicate of 'Avg Bytes/Pkt (applayer)' instead.
Am I reading this correctly, or is the wrong value being duplicated in this
first column (column G or the first 'Avg Bytes/Pkt (wire)')?
The second 'Avg Bytes/Pkt (wire)' seems to be correct (95% stats are less
than 'Avg Bytes/Pkt (applayer)' and never over by more than 6 pkts).
I also see 18 columns which are not described in the 2.8.3 manual, but none
of them are close to matching either of the Avg Bytes/Pkt stats.
More information about the Snort-devel