[Snort-users] 'kill snort-pid -USR1' returns unrealistic figures

Bruno Vuillemin Bruno.Vuillemin at ...4964...
Wed Feb 13 05:51:38 EST 2002


Statistics generated by "kill snort-pid -USR1"  look strange :

1/ snort is launched

2/ a few second later I did a "kill snort-pid -USR1"

(...)
Feb 11 17:02:47 snortBox snort: Snort analyzed 10346 out of 10923 packets, 
Feb 11 17:02:47 snortBox snort: dropping 577(5.282%) packets  
(...)

Nothing special to say. 

3/ about one minute later, I did it  again 

(...)
Feb 11 17:03:48 snortBox snort: Snort analyzed -119209984 out of 16777216 packets, 
Feb 11 17:03:48 snortBox snort: dropping 135987200(810.547%) packets  
(...)

These figures are impressive but don't seem very reliable.

In annex an even worst case.

Is this a known problem ? Any comments ?

Context :

Before posting this, I wasn't able to find any relevant information with the usual web/news search tools.

Nothing special about snort binaries: I read the docs, compiled it as recommended (unless 
I missed something). snort 1.8.2.
SnortSnarf is able to use the collected data.

Hardware : a Compaq Deskpro DP2000 with two ethernet cards.

# 'cat /proc/net/dev' looks very acceptable (after I added some spaces to improve layout)

Inter-|   Receive                                                     |  Transmit
 face |     bytes    packets errs drop fifo frame compressed multicast|    bytes packets errs drop fifo   colls carrier compressed
    lo:     13350       179    0    0    0     0          0         0      13350     179    0    0    0       0       0          0
  eth0: 941121015 266280107    2    0    0     3          0         0        168       4    0    0    0       0       0          0
  eth1:1467837932   6539927    0    0    0     0          0         0 4117790301 7032899    0    0    0 1139037       0          0


------------

Regards.

Bruno Vuillemin, university of Fribourg/Freiburg (Switzerland), computer service

--------------------------------------------------------


Annex :

This was output about one hour after snort was launched.
Figures again are surprising.




Feb 12 16:00:25 snortBox snort:   =============================================================================== 
Feb 12 16:00:25 snortBox snort: Snort analyzed 0 out of 0 packets, 
Feb 12 16:00:25 snortBox snort: . 
Feb 12 16:00:25 snortBox snort: Breakdown by protocol:                Action Stats: 
Feb 12 16:00:25 snortBox snort:     TCP: 307907     (inf%)         ALERTS: 89         
Feb 12 16:00:25 snortBox snort:     UDP: 3391       (inf%)         LOGGED: 30         
Feb 12 16:00:25 snortBox snort:    ICMP: 308        (inf%)         PASSED: 0          
Feb 12 16:00:25 snortBox snort:     ARP: 1826       (inf%) 
Feb 12 16:00:25 snortBox snort:    IPv6: 0          (0.000%) 
Feb 12 16:00:25 snortBox snort:     IPX: 4          (inf%) 
Feb 12 16:00:25 snortBox snort:   OTHER: 3058       (inf%) 
Feb 12 16:00:25 snortBox snort: DISCARD: 0          (0.000%) 
Feb 12 16:00:25 snortBox snort: =============================================================================== 
Feb 12 16:00:25 snortBox snort: Fragmentation Stats: 
Feb 12 16:00:25 snortBox snort: Fragmented IP Packets: 0          (0.000%) 
Feb 12 16:00:25 snortBox snort:     Fragment Trackers: 0          
Feb 12 16:00:25 snortBox snort:    Rebuilt IP Packets: 0          
Feb 12 16:00:25 snortBox snort:    Frag elements used: 0          
Feb 12 16:00:25 snortBox snort: Discarded(incomplete): 0          
Feb 12 16:00:25 snortBox snort:    Discarded(timeout): 0          
Feb 12 16:00:25 snortBox snort:   Frag2 memory faults: 0          
Feb 12 16:00:25 snortBox snort: =============================================================================== 
Feb 12 16:00:25 snortBox snort: TCP Stream Reassembly Stats: 
Feb 12 16:00:25 snortBox snort:         TCP Packets Used: 307891     (inf%) 
Feb 12 16:00:25 snortBox snort:          Stream Trackers: 8767       
Feb 12 16:00:25 snortBox snort:           Stream flushes: 1018       
Feb 12 16:00:25 snortBox snort:            Segments used: 2663       
Feb 12 16:00:25 snortBox snort:    Stream4 Memory Faults: 0          
Feb 12 16:00:25 snortBox snort: =============================================================================== 





More information about the Snort-users mailing list