[Snort-users] packet capture/loss statistics

Martin Roesch roesch at ...421...
Tue Mar 13 09:17:27 EST 2001

Yeah, this is an error on my part in perception of what the packet stats
code in libpcap return.  It should definitely be recv + drop.  I'm
pretty sure this is true on all OSs...


Phil Wood wrote:
> I think there is a problem calculating the percent of dropped packets on
> linux.
> First, ps_recv is incremented every time a packet is received by
> the user application.  Second, this value plus ps_drop which is supplied by
> the linux kernel via:
>   (getsockopt(p->fd, SOL_PACKET, PACKET_STATISTICS, (void*)&tps, &olen) == 0)
> is roughly equal to the number of packets received by the kernel.  There is
> actually another value ps_ifdrop which is equal to the kernel
>   (tp_packets - (ps_recv + tp_drops)).
> Consequently, I modified the call to CalcPct to look like so:
>   CalcPct(drop, recv + drop);
> This may only be true for linux.
> Thanks,
> Phil
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list