[Snort-users] Drop statistics and Cisco Catalyst 6500

Rich Adamson radamson at ...2127...
Wed Mar 27 16:02:06 EST 2002


> Right, Snort only analyzes IP packets, but it does analyze broadcasts and
> multicasts (especially on a LAN), too.  There are at least a few
> experimental rules that use a destination of 255.255.255.255 (SNMP).
> 
> I included the Cisco drop stat just because it was one of the few populated
> stats in the output.
> 
> We're still left with the question of why Snort is seeing more packets than
> the Cisco.

In most corporate environments, the Cisco packet counts should be greater than
or equal to Snort (due to the "other" protocols that are almost always present). 
Dropped packets can't be compared between the two devices.

If Snorts packet counts are greater than the Cisco, then obviously one of the
two can't count.






More information about the Snort-users mailing list