[Snort-users] Snort PerfMon preprocessor output

Basselgia, Barry A Mr (NAF Atsugi) BABasselgia at ...12104...
Thu Oct 21 15:11:29 EDT 2004


I'm trying to figure out how to gage the performance on my snort sensor.  I
have the perfmonitor preprocessor configured with the below line in my
snort.conf file.

preprocessor perfmonitor: time 60 events flow file
/var/log/snort/snort.stats pktcnt 50

I was using the perfmon-graph.pl file to generate charts from the file.  But
the charts don't seem to match observed performance.  The first thing that
appears to be strange is in % Packets Dropped data.  If I'm not mistaken,
it's the second field in the snort.stats file, the time stamp being the
first field.  It is regularly recording that the % Packets Dropped is
greater then 100, is some instances much much greater then 100.  I'll
include sample data below.

Is there any more info on the perfmonitor preprocessor, other then what's in
the snort_manual.pdf file?  Anybody have any idea why it claims I'm dropping
Billions % packets.

snort:/var/log/snort # more snort.stats
1098299821,0.000,0.1,0.0,0.0,469,83.59,0.5,0.5,0.5,0.4,11,15,0.7,0,2,0.0,0.0
,0.0,0.0,0,0,0.1,0.0,99.9
1098299895,3.876,0.1,0.0,0.0,507,94.00,0.8,0.8,0.8,0.8,10,15,1.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.0,99.6
1098299959,4145335746901022720.000,0.2,0.0,0.0,527,90.05,0.9,0.9,0.9,0.9,13,
15,1.8,0,2,0.0,0.0,0.0,0.0,0,0,0.3,0.0,99.6
1098300022,32.718,0.2,0.0,0.1,280,73.48,0.7,0.7,0.7,0.8,9,16,1.1,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300082,100.000,0.2,0.0,0.0,476,87.77,0.9,0.9,0.9,0.8,19,19,2.2,0,2,0.0,0
.0,0.0,0.0,0,0,0.2,0.1,99.7
1098300144,534533296833078848.000,0.6,0.0,0.1,638,88.10,2.8,2.8,2.9,2.9,15,2
1,5.6,0,2,0.0,0.0,0.0,0.0,0,0,0.7,0.2,99.2
1098300206,0.000,0.2,0.0,0.1,532,84.87,1.7,1.7,1.7,1.8,11,21,3.2,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.7
1098300270,0.000,0.2,0.0,0.0,660,108.07,1.2,1.2,1.2,1.1,15,21,2.4,0,2,0.0,0.
0,0.0,0.0,0,0,0.7,0.1,99.2
1098300342,15.919,0.3,0.0,0.1,366,87.41,1.3,1.3,1.3,1.4,10,25,2.5,0,3,0.0,0.
0,0.0,0.0,0,0,0.5,0.1,99.5
1098300416,100.000,0.3,0.0,0.1,590,87.64,0.9,0.9,0.9,0.9,8,25,1.7,0,2,0.0,0.
0,0.0,0.0,0,0,0.3,0.1,99.6
1098300483,100.000,0.2,0.0,0.0,515,85.02,0.7,0.7,0.7,0.7,13,25,1.2,0,2,0.0,0
.0,0.0,0.0,0,0,0.2,0.1,99.8
1098300551,0.000,0.3,0.0,0.1,477,83.42,2.5,2.5,2.6,2.5,15,25,4.6,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300613,2.852,0.5,0.0,0.1,462,85.56,2.2,2.2,2.3,2.2,17,25,4.0,0,2,0.0,0.0
,0.0,0.0,0,0,0.7,0.2,99.1
1098300675,100.000,0.4,0.0,0.1,549,86.72,0.8,0.8,0.8,1.0,9,25,1.6,0,2,0.0,0.
0,0.0,0.0,0,0,0.4,0.1,99.5
1098300741,0.000,0.3,0.0,0.1,550,85.84,1.7,1.7,1.7,1.6,14,25,2.6,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300813,0.000,0.1,0.0,0.0,321,84.21,1.3,1.3,1.3,1.3,13,25,3.2,0,3,0.0,0.0
,0.0,0.0,0,0,0.2,0.0,99.8
1098300880,0.000,0.2,0.0,0.1,476,89.38,1.9,1.9,1.9,1.9,13,25,4.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.4,0.1,99.5
1098300944,18.444,0.3,0.0,0.1,298,75.11,1.5,1.5,1.5,1.6,11,25,3.4,0,2,0.0,0.
0,0.0,0.0,0,0,0.3,0.1,99.6
1098301018,100.000,0.1,0.0,0.0,619,133.61,1.2,1.2,1.3,1.3,15,25,3.5,0,2,0.0,
0.0,0.0,0.0,0,0,1.4,0.0,98.6
1098301097,100.000,0.1,0.0,0.0,292,77.05,1.1,1.1,1.1,1.2,10,25,2.9,0,3,0.0,0
.0,0.0,0.0,0,0,0.1,0.0,99.8
1098301175,0.000,0.1,0.0,0.0,367,81.32,1.0,1.0,1.0,1.0,6,25,2.7,0,2,0.0,0.0,
0.0,0.0,0,0,0.1,0.0,99.9
1098301239,12.576,0.4,0.0,0.1,382,81.06,1.9,1.9,2.0,1.8,17,25,4.1,0,2,0.0,0.
0,0.0,0.0,0,0,0.6,0.1,99.3
1098301311,100.000,0.2,0.0,0.1,550,90.52,1.5,1.5,1.5,1.6,7,25,4.0,0,3,0.0,0.
0,0.0,0.0,0,0,0.4,0.1,99.5
1098301373,0.000,0.2,0.0,0.0,486,85.79,1.5,1.5,1.5,1.5,8,25,3.7,0,2,0.0,0.0,
0.0,0.0,0,0,0.3,0.0,99.7
1098301442,0.000,0.2,0.0,0.0,459,84.36,1.5,1.5,1.5,1.5,12,25,3.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.2,0.0,99.8
1098301502,0.000,0.4,0.0,0.1,491,86.14,2.0,2.0,2.1,2.1,12,25,4.7,0,2,0.0,0.0
,0.0,0.0,0,0,0.6,0.1,99.3
1098301574,69.776,0.3,0.0,0.1,363,83.81,1.5,1.5,1.5,1.5,12,25,3.6,0,2,0.0,0.
0,0.0,0.0,0,0,0.6,0.1,99.3
1098301636,100.000,0.1,0.0,0.0,331,96.05,1.2,1.2,1.2,1.3,11,25,3.3,0,2,0.0,0
.0,0.0,0.0,0,0,0.3,0.0,99.7
1098301702,794091436664208000.000,0.2,0.0,0.1,404,90.60,1.7,1.7,1.8,1.7,16,2
5,4.0,0,2,0.0,0.0,0.0,0.0,0,0,0.5,0.1,99.5
1098301763,100.000,0.2,0.0,0.1,404,88.06,1.4,1.4,1.4,1.4,14,25,3.7,0,2,0.0,0
.0,0.0,0.0,0,0,0.5,0.1,99.5
1098301825,7.348,0.5,0.0,0.2,384,81.74,2.5,2.5,2.7,2.6,20,27,5.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.9,0.2,99.0
1098301885,100.000,0.2,0.0,0.1,390,81.39,1.8,1.8,1.9,1.9,17,27,4.3,0,2,0.0,0
.0,0.0,0.0,0,0,0.4,0.1,99.5


---------------------------------------------------------
This message has been scanned for viruses and dangerous
content by the NAF Atsugi MailScanner.






More information about the Snort-users mailing list