[Snort-users] packet capture/loss statistics

Martin Roesch roesch at ...421...
Tue Mar 13 09:17:27 EST 2001


Yeah, this is an error on my part in perception of what the packet stats
code in libpcap return.  It should definitely be recv + drop.  I'm
pretty sure this is true on all OSs...

     -Marty

Phil Wood wrote:
> 
> I think there is a problem calculating the percent of dropped packets on
> linux.
> 
> First, ps_recv is incremented every time a packet is received by
> the user application.  Second, this value plus ps_drop which is supplied by
> the linux kernel via:
> 
>   (getsockopt(p->fd, SOL_PACKET, PACKET_STATISTICS, (void*)&tps, &olen) == 0)
> 
> is roughly equal to the number of packets received by the kernel.  There is
> actually another value ps_ifdrop which is equal to the kernel
> 
>   (tp_packets - (ps_recv + tp_drops)).
> 
> Consequently, I modified the call to CalcPct to look like so:
> 
>   CalcPct(drop, recv + drop);
> 
> This may only be true for linux.
> 
> Thanks,
> 
> Phil
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list