[Snort-users] Snort behaviour graphic.

Chris Green cmg at ...1935...
Wed Jul 10 14:13:02 EDT 2002


Emilio Mira <emial at ...4389...> writes:

> Hi all,
>
> I've been doing tests with Snort and I got the graphic attached. We can
> see traffic received in packets per second with blue line, Snort droped
> pps with green line and Snort total VM size in kilobytes. X axe represents
> time in hours (a little more than one week).
>
> First, why droped packets are so different in between days with similar
> traffic? (I get droped packets with a script that compares received
> packets from the interface with Snort processed packets, from kill
> -USR1).
>
> Second, why Snort vsize is like this?. I thought it bears relation to 
> traffic received, but it doesn't.

What are your stream4 and frag2 configurations?   How many hosts are
you seeing on your network? Any idea on the type of traffic?

You might try running your statistics with a higher memcap.  I
wouldn't be suprised if those times are when you are hitting a forced
session prune.
-- 
Chris Green <cmg at ...1935...>
To err is human, to moo bovine.




More information about the Snort-users mailing list