[Snort-users] Drop statistics and Cisco Catalyst 6500
Owen_Crow at ...2639...
Wed Mar 27 14:57:09 EST 2002
I'm trying to understand the packet & drop statistics generated by Snort vs.
the statistics generated by a Cisco Catalyst 6500.
Compaq ML370 Rack-mount
Pentium III at 933MHz
Redhat 7.2 with stock kernel 2.4.7-10
libpcap-0.7.1 compiled locally
snort-1.8.3 compiled locally against libpcap-0.7.1
Admin interface: eth0: OEM i82557/i82558 10/100 Ethernet, xx:xx:xx:xx:xx:xx,
Unused interface: eth1: OEM i82557/i82558 10/100 Ethernet,
xx:xx:xx:xx:xx:xx, IRQ 5.
Snort interface: eth2: Mem:0xc6fe0000 IRQ:15 Speed:1000 Mbps Duplex:Full
Intel(R) PRO/1000 Network Driver - version 3.1.22
All hardware is Compaq-supplied.
Only output options are fast and binary.
The Snort interface is connected via fiber to a port on the 6500 and the
VLAN for one of our internal networks is spanned to this port. Of the VLAN
ports, 11 are GigE and two are 100BaseT. This VLAN (call it 10.10.0.0/16)
serves multiple floors in multiple buildings for about 2500 systems.
Yesterday, I setup a cron job to grab statistics every hour on the Snort
0 * * * * killall -USR1 snort && sleep 10 && egrep "snort: Snort
analyzed|snort: dropping" /var/log/messages | tail -2 | mail -s "Snort stats
for $HOSTNAME on `date`" me at ...5417...
Which returns output like:
Mar 27 16:00:00 hostname snort: Snort analyzed 58659786 out of 102822893
Mar 27 16:00:00 hostname snort: dropping 44163107(42.951%) packets
Then at a specific hour (16:00 CST yesterday) I asked our network admin to
reset the statistics on the Snort port of the 6500. Today at 09:00 I asked
him to "show counters" on that port to get the transmitted packet counts
(txHCTotalPkts). In theory, the total packets seen by the 6500 for that
port should match the total packets seen by the Snort sensor. Here are the
Total packets analyzed: 1,347,042,936
Total packets: 2,452,608,498
Dropped packets: 1,105,565,562
Drop percentage: 45.08%
Total packets (txHCTotalPkts): 1,347,813,989
Discards (ifOutDiscards): 8,182,354
So the average packets per second according to Snort is 40075, while
according to the Cisco it is 22023. Why does my Snort sensor seem to be
seeing approximately twice as many packets as the Cisco?
I can provide more of the Cisco stats if they are relevant.
Systems Programmer (Unix)
BMC Software, Inc.
More information about the Snort-users