[Snort-users] Drop statistics and Cisco Catalyst 6500

Rich Adamson radamson at ...2127...
Wed Mar 27 15:39:02 EST 2002


> I'm trying to understand the packet & drop statistics generated by Snort vs.
> the statistics generated by a Cisco Catalyst 6500.

same word, but the word is used differently.

Dropped packets on a C6500 means the switch port could not get rid of the
packets quick enough (generally means "congestion"), and had to dump the
packet on the floor. Switches do not have any significant buffers to hold
data; what comes into a switch port better have a quick way to be sent out
another port, or it will be dropped.

Snort's use of the "drop" generally means the processor is too busy to 
analyze a packet, therefore rather than store up an unknown quantity of
packets, it drops them on the floor.

The objective in both cases is the same: identify the congestion and 
engineer around it.

For the "packet counts", the cisco switch is basically a layer-2 device
so it handles all protocols. Snort is TCP/IP based, and only counts packets
"destined" for itself and then only IP packets. Total packets measured by
Snort should be less than what the port statistics reflect on the Cisco.
Also, Snort doesn't care about general broadcasts while the Cisco counts
those.






More information about the Snort-users mailing list