[Snort-users] Performance stats

Jason Brvenik jasonb at ...1935...
Sun Oct 2 18:12:39 EDT 2005


The application layer stats include the reassembled traffic. It is not
unusual to see nearly double the number for app layer since snort
inspects both reassembled and raw data. The exact ratio will depend on
the mix of TCP/UDP/ICMP traffic as well as average packet sizes and rate.

sekure wrote:
> I was wondering if someone could elaborate on the differences between
> the application layer and wire counters in Snort stats.  Why would i
> sometimes see almost twice the application layer throughput in Mbps
> than on the wire?
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 




More information about the Snort-users mailing list