[Snort-devel] Clarification upon stats

Todd Wease twease at ...402...
Tue Jul 30 09:30:33 EDT 2013

Hello Reinoud,

On Wed, Jul 24, 2013 at 6:01 AM, sockstat <sockstat at ...445...> wrote:

> Hi Everyone,
> I wanted to ask about the performance counters that snort maintains. In
> the function detection_option_tree_evaluate you start maintaining
> ruleOTNEvalPerfStats using a macro. But this actually kicks in for any type
> of node while only the leaf nodes seem to be an OTN. It also adds up when a
> node type is Flow or pcre etc so maybe it should better be called
> ruleNODEEvalPerfStats? In detection_option_tree_evaluate you call
> detection_option_node_evaluate which in case of a leaf node gets the RTN
> from the OTN and fpEvalRTN is called where you maintain
> ruleRTNEvalPerfStats. So in the end screen where you print the stats out it
> seems to me that the microseconds for rule tree eval contain the rtn eval
> microseconds, because fpEvalRTN is called while counting the clock ticks
> for ruleOTNEvalPerfStats. In profile.c you print the amount of microseconds
> out. So rule tree eval is not just the ticks spent in
> detection_option_tree_evaluate, It has the clock ticks spent in fpEvalRTN
> included, while rtn eval is printed out sperately.

Yes, it looks like the RTN stats are counted in the OTN stats.  I'll create
a bug to see if we can get this fixed.

> Same thing holds for the mpse stats when __process_queue calls
> rule_tree_match, then the ticks spent in detection_oprion_tree_evaluate and
> fpEvalRTN are included in the ticks spent in mpseSearch. Hence it seems
> there is some overlap in the stats, because I don't see the ticks spent in
> fpEvalRTN subtracted from the amount of ticks spent in
> detection_option_tree_evaluate for example or did I miss this?

In rule_tree_match(), rulePerfStats are started and in
ShowPreprocProfiles() in profile.c it is subtracted from mpsePerfStats.

> Also in case of a core 2duo CPU the tsc isn't stable and hence the
> calculation of how many clock ticks occur per microsecond might not be
> accurate?
> Thanks, Reinoud.
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130730/5136d821/attachment.html>

More information about the Snort-devel mailing list