Hi Gary,

thanks for the fine results. I already suspected some errors in the
old libpcap statistics since so many people were reporting of high
traffic sniffing without packet loss...

> Can someone from sourcefire/snort team comment on how the performance 
> statistics (both perfmon processor and after receiving a USR1 signal) are 
> created?  How reliable are they?  Do they report just what they receive 
> from libpcap, or would they report as "dropped" packets that they received 
> from libpcap, but couldn't process for whatever reason.

No, snort only reports the statistics of libpcap, snort never drops
packets by itself. Depending on the load and rules which have to been
tested it can happen that snort takes for some packets longer to analyze
than for others.

Especially if many rules have to been checked and no rule matches...

Best regards


