[Snort-users] RE: Snort PerfMon preprocessor output

Basselgia, Barry A Mr (NAF Atsugi) BABasselgia at ...12104...
Sat Oct 23 20:35:03 EDT 2004


That's for the pointer.

When I went to look at perf-base.c found there is a #define that setups up
the drop packet counter.  It was set to ACCUMULATE_PKTS which is for BSD
systems I changed it to RESET_PKTS which the comments say is for Linux
2.4.*.  Recompiled snort and the stats seem to be working much better now.

Shouldn't the configure script have picked this up?

Thanks again for the help.

Barry


-----Original Message-----
From: sekure [mailto:sekure at ...11827...]
Sent: Friday, October 22, 2004 10:15 PM
To: Basselgia, Barry A Mr (NAF Atsugi)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] RE: Snort PerfMon preprocessor output


Barry,

Two things:

1.  What OS are you using, what version of libpcap, what version of snort?

2.  Here is the the format of the perfmonitor file, from perf-base.c:

/*
 *
 *   Log Base Per Stats to File for Use by the MC
 *
 * unixtime(in secs since epoch)
 * %pkts dropped
 * mbits/sec
 * alerts/sec
 * K-Packets/Sec
 * Avg Bytes/Pkt
 * %bytes pattern matched
 * syns/sec
 * synacks/sec
 * new-sessions/sec
 * del-sessions/sec
 * total-sessions open
 * max-sessions
 * streamflushes/sec
 * streamfaults/sec
 * streamtimeouts
 * fragcompletes/sec
 * fraginserts/sec
 * fragdeletes/sec
 * fragflushes/sec
 * fragtimeouts
 * fragfaults
 * %user-cpu usage
 * %sys-cpu usage
 * %idle-cpu usage
 */



On Fri, 22 Oct 2004 13:04:23 +0900, Basselgia, Barry A Mr (NAF Atsugi)
<babasselgia at ...12104...> wrote:
 
> So, it looks like field 2 is the % dropped packets.  The problem actually
> seems to be in the dropped packets counter.  It claims I dropped more then
a
> 100 Billion packets, when I only received 1944.
> 
> Must be a bug in the performance counter.  Anyone have any ideas?
> 
> Barry

---------------------------------------------------------
This message has been scanned for viruses and dangerous
content by the NAF Atsugi MailScanner.


---------------------------------------------------------
This message has been scanned for viruses and dangerous
content by the NAF Atsugi MailScanner.






More information about the Snort-users mailing list