[Snort-users] Discarded packets and other stats...

John Sage jsage at ...2022...
Mon Jun 18 18:37:09 EDT 2001


OK: snort seems to be ticking along quite happily, doing pretty much 
what I ask of it, and all is well.

Fine.

I'm curious about the stats that are printed when snort exits. For one 
example:

====================================================
     TCP: 30291      (95.013%)         ALERTS: 12
     UDP: 848        (2.660%)          LOGGED: 14867
    ICMP: 742        (2.327%)          PASSED: 0

So, in this particular session, snort accounted for 31,881 tcp, udp and 
icmp packets, but there's only 14,879 seen by Alerts, Logged, or Passed.

What/where are the others?


     ARP: 0          (0.000%)
    IPv6: 0          (0.000%)
     IPX: 0          (0.000%)
   OTHER: 0          (0.000%)

And, what's this all about:

DISCARD: 7350       (23.054%)

What gets discarded, typically, and why?

And isn't 23% a lot?


=====================================================
Fragmentation Stats:
Fragmented IP Packets: 229        (0.718%)
    Rebuilt IP Packets: 0
    Frag elements used: 0
Discarded(incomplete): 0
    Discarded(timeout): 0
=====================================================
TCP Stream Reassembly Stats:
    TCP Packets Used:      27710      (86.917%)
    Reconstructed Packets: 7579       (23.773%)
    Streams Reconstructed: 878
=====================================================

The rest of this I think I'm kinda OK with, unless anyone sees something 
out of line, or if someone wants to toss in any thoughts...

TIA..

- John

-- 
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/
mailto:jsage at ...2022...
"The web is so, like, five minutes ago..."





More information about the Snort-users mailing list