[Snort-users] Discarded packets and other stats...

John Sage jsage at ...2022...
Mon Jun 18 18:37:09 EDT 2001

OK: snort seems to be ticking along quite happily, doing pretty much 
what I ask of it, and all is well.


I'm curious about the stats that are printed when snort exits. For one 

     TCP: 30291      (95.013%)         ALERTS: 12
     UDP: 848        (2.660%)          LOGGED: 14867
    ICMP: 742        (2.327%)          PASSED: 0

So, in this particular session, snort accounted for 31,881 tcp, udp and 
icmp packets, but there's only 14,879 seen by Alerts, Logged, or Passed.

What/where are the others?

     ARP: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 0          (0.000%)

And, what's this all about:

DISCARD: 7350       (23.054%)

What gets discarded, typically, and why?

And isn't 23% a lot?

Fragmentation Stats:
Fragmented IP Packets: 229        (0.718%)
    Rebuilt IP Packets: 0
    Frag elements used: 0
Discarded(incomplete): 0
    Discarded(timeout): 0
TCP Stream Reassembly Stats:
    TCP Packets Used:      27710      (86.917%)
    Reconstructed Packets: 7579       (23.773%)
    Streams Reconstructed: 878

The rest of this I think I'm kinda OK with, unless anyone sees something 
out of line, or if someone wants to toss in any thoughts...


- John

John Sage
FinchHaven, Vashon Island, WA, USA
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."

More information about the Snort-users mailing list