[Snort-devel] Large Packet Drop with SNort-2.9.80 as compared to Snort-2.9.7.6

elof at ...969... elof at ...969...
Mon Jan 25 05:26:07 EST 2016


Received -> Number of packets received by the hardware
Analyzed -> Number of packets received by the snort instance (DAQ)
Dropped -> Number of packets dropped by the hardware
Outstanding -> Number of packets that have been received by hardware but 
have not been filtered or received by the instance.


It looks like something is giving snort/daq false statistics.

/Elof

On Fri, 18 Dec 2015, Dheeraj Gupta wrote:

> Hi,
>
> I am also confused about the drop count. This is what I got after a
> separate brief snort run (on a different machine)
>
> ===============================================================================
> Run time for packet processing was 497.799669 seconds
> Snort processed 7139620 packets.
> Snort ran for 0 days 0 hours 8 minutes 17 seconds
>   Pkts/min:       892452
>   Pkts/sec:        14365
>
> ===============================================================================
> Packet I/O Totals:
>   Received:     14977160
>   Analyzed:      7139620 ( 47.670%)
>    Dropped:     11666105 ( 43.786%)
>   Filtered:      7046472 ( 47.048%)
> Outstanding:       791068 (  5.282%)
>   Injected:            0
> ===============================================================================
>
> The totals and percentages do not tally. Can someone explain how filtered,
> received, analyzed and dropped numbers should be interpreted?
>
> Regards,
> Dheeraj
>
> On Thu, Dec 17, 2015 at 11:46 AM, Dheeraj Gupta <dheeraj.gupta4 at ...3054....>
> wrote:
>
>> Hi,
>>
>> The test was run for the same PCAP so number of packets is same in both
>> cases (9220233). The packet I/O totals as output by two snorts are:
>>
>> Snort-2.9.8.0
>> ------------------------
>>
>> ===============================================================================
>> Run time for packet processing was 783.512468 seconds
>> Snort processed 9220233 packets.
>> Snort ran for 0 days 0 hours 13 minutes 3 seconds
>>    Pkts/min:       709248
>>    Pkts/sec:        11775
>>
>> ===============================================================================
>>
>> ===============================================================================
>> Packet I/O Totals:
>>    Received:      9220233
>>    Analyzed:      9220233 (100.000%)
>>     Dropped:            0 (  0.000%)
>>    Filtered:            0 (  0.000%)
>> Outstanding:            0 (  0.000%)
>>    Injected:            0
>>
>> ===============================================================================
>>
>>
>> Snort-2.9.7.6
>> -----------------------
>>
>>
>> ===============================================================================
>> Run time for packet processing was 547.131014 seconds
>> Snort processed 9220233 packets.
>> Snort ran for 0 days 0 hours 9 minutes 7 seconds
>>    Pkts/min:      1024470
>>    Pkts/sec:        16856
>>
>> ===============================================================================
>>
>> ===============================================================================
>> Packet I/O Totals:
>>    Received:      9220233
>>    Analyzed:      9220233 (100.000%)
>>     Dropped:            0 (  0.000%)
>>    Filtered:            0 (  0.000%)
>> Outstanding:            0 (  0.000%)
>>    Injected:            0
>>
>> ===============================================================================
>>
>> Again as the test is against a static PCAP, there will be no drops.
>> However, in this test Snort-2.9.8.0 is almost 30% slower (processes about
>> 11.7K pkts/s as against 16.8K pkts/s) than Snort-2.9.7.6. When used with
>> live traffic, wouldn't this cause increased packet drops?
>>
>> Regards,
>> Dheeraj
>>
>> On Wed, Dec 16, 2015 at 8:02 PM, Nageswara Rao A.V.K (navk) <
>> navk at ...3461...> wrote:
>>
>>> You did not provide “Packet I/O Totals:” for this test.
>>>
>>> We have to compare that data.
>>>
>>>
>>>
>>> I don’t think previous stats will applicable here.
>>>
>>> Because the number of pkts are different here.
>>>
>>>
>>>
>>> Best Regards,
>>>
>>> -ANR
>>>
>>>
>>>
>>> *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 at ...2499...]
>>> *Sent:* Wednesday, December 16, 2015 5:16 PM
>>> *To:* Nageswara Rao A.V.K (navk)
>>> *Cc:* snort-devel at lists.sourceforge.net
>>> *Subject:* Re: [Snort-devel] Large Packet Drop with SNort-2.9.80 as
>>> compared to Snort-2.9.7.6
>>>
>>>
>>>
>>> Hi,
>>>
>>> I captured a large PCAP (6.6G ~9M packets) and analyzed it through both
>>> Snort-2.9.7.6 and 2.9.8.0 with almost identical configuration file (memcap
>>> etc.). Since SO rules for Snort-2.9.7.6 cannot be used with 2.9.8.0, so
>>> number of rules for 2.9.8.0 was less (about 11k) as compared to 2.9.7.6
>>> (12k).
>>>
>>> Here is a summary of end of run stats
>>>
>>> Snort-2.9.7.6
>>>
>>>
>>> ===============================================================================
>>> Run time for packet processing was 547.131014 seconds
>>> Snort processed 9220233 packets.
>>> Snort ran for 0 days 0 hours 9 minutes 7 seconds
>>>    Pkts/min:      1024470
>>>    Pkts/sec:        16856
>>>
>>> ===============================================================================
>>>
>>> Snort-2.9.8.0
>>>
>>> ===============================================================================
>>> Run time for packet processing was 783.512468 seconds
>>> Snort processed 9220233 packets.
>>> Snort ran for 0 days 0 hours 13 minutes 3 seconds
>>>    Pkts/min:       709248
>>>    Pkts/sec:        11775
>>>
>>> ===============================================================================
>>>
>>> snort.conf is attached
>>>
>>>
>>>
>>> On Tue, Dec 15, 2015 at 10:03 AM, Dheeraj Gupta <dheeraj.gupta4 at ...3051......>
>>> wrote:
>>>
>>> Hi,
>>>
>>> The traffic is captured from a live interface, so it is not exactly same.
>>> However, it is from the same network and same network filter over a
>>> contiguous time range. So, characteristics of the trafic are broadly the
>>> same i.e. most of it is user browsing data. The reason I wrote this e-mail
>>> is because on a weekday, we have an average 100-150 Mbps on the wire and
>>> Snort-2.9.7.6 reported less losses (<10%). However, Snort-2.9.8.0 reported
>>> over 40% drops with comparable traffic load/pattern.
>>>
>>> Snort logs do not have any additional entry apart from session pruned due
>>> to timeout/stale (same in both cases).
>>>
>>> Regards,
>>>
>>> Dheeraj
>>>
>>>
>>>
>>> On Tue, Dec 15, 2015 at 8:43 AM, Nageswara Rao A.V.K (navk) <
>>> navk at ...3461...> wrote:
>>>
>>> Hi Dheeraj,
>>>
>>>    We need more info to get in to conclusion.
>>>
>>>
>>>
>>> Are you passing same traffic in both scenario’s??
>>>
>>>
>>>
>>> Did you verify snort logs ??
>>>
>>> You may know the reason for pkt drops.
>>>
>>>
>>>
>>> We did not notice this problems in our observation.
>>>
>>> More details may help us to analyze the problem.
>>>
>>>
>>>
>>> Best Regards,
>>>
>>> -ANR
>>>
>>>
>>>
>>> *From:* Dheeraj Gupta [mailto:dheeraj.gupta4 at ...2499...]
>>> *Sent:* Monday, December 14, 2015 11:30 AM
>>> *To:* snort-devel at lists.sourceforge.net
>>> *Subject:* [Snort-devel] Large Packet Drop with SNort-2.9.80 as compared
>>> to Snort-2.9.7.6
>>>
>>>
>>>
>>> Hi,
>>>
>>> I just upgraded to Snort-2.9.8.0 from Snort-2.9.7.6. Before the upgrade
>>> one of my sensors showed (somewhat expected) packet drops. However, after
>>> the upgrade the packet drop increased significantly even though the number
>>> of rules decreased (as SO rules are not in use with 2.9.8.0). I am still
>>> using Snort-2.9.7.6 rulesets (as advised by you).
>>>
>>> Here is a snip from my snort.stats file for 2.9.8.0
>>>
>>> #time,pkt_drop_percent,wire_mbits_per_sec.realtime
>>> 1450068900,33.873,124.415
>>> 1450069200,23.718,121.253
>>> 1450069500,26.014,120.349
>>> 1450069800,26.368,120.821
>>> 1450070100,23.706,116.493
>>> 1450070400,21.039,121.363
>>>
>>> For Snort-2.9.7.6, the snip is
>>> #time,pkt_drop_percent,wire_mbits_per_sec.realtime
>>> 1450071180,0.000,79.159
>>> 1450071480,0.000,118.671
>>> 1450071780,2.146,132.186
>>> 1450072080,8.337,130.408
>>>
>>>
>>>
>>> Looking at end-of-snort stats. This is for 2.9.8.0
>>>
>>> Packet I/O Totals:
>>>    Received:    804563792
>>>    Analyzed:    388361098 ( 48.270%)
>>>     Dropped:    298207658 ( 27.042%)
>>>    Filtered:    415840607 ( 51.685%)
>>>    Outstanding:       362087 (  0.045%)
>>>    Injected:            0
>>>
>>> And this is for 2.9.7.6
>>>
>>> Packet I/O Totals:
>>>    Received:     60969886
>>>    Analyzed:     30035104 ( 49.262%)
>>>     Dropped:       742645 (  1.203%)
>>>    Filtered:     30927585 ( 50.726%)
>>>    Outstanding:         7197 (  0.012%)
>>>    Injected:            0
>>>
>>> I have a longish BPF filter, so is the filtered count an indication of
>>> the amount of traffic which was filtered by that filter?
>>>
>>> Also is dropped count a subset of analyzed count or received count? I ask
>>> this because it appears
>>>
>>> received_count = analyzed + filtered
>>>
>>> so dropped_count doesn't really fit in
>>>
>>>
>>>
>>> Regards,
>>>
>>> Dheeraj
>>>
>>>
>>>
>>>
>>>
>>
>>
>


More information about the Snort-devel mailing list