[Snort-users] Looooots of "Outstanding" and "Analyzed" packets - counter wrap ?

Harry Hoffman hhoffman at ...10275...
Thu Nov 23 14:24:00 EST 2006


Try putting the keyword "reset" for the perfmonitor preprocessor
something like:
preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt
10000 reset


HTH,
Harry

Andreas Maus wrote:
> Hi.
> 
> I was asked (off-list) to provide some additional informations,
> esp. the packet counters from the OS.
> 
> debian3164m:~# netstat -ni 
> Kernel Interface table
> Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
> eth0   1500 0    413593      0      0      0  287444      0      0      0 ABMRU
> lo    16436 0     78789      0      0      0   78789      0      0      0 LRU
> 
> [... several hours later ...]
> debian3164m:~# netstat -ni ; pkill snort
> Kernel Interface table
> Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
> eth0   1500 0    424152      0      0      0  289605      0      0      0 ABMRU
> lo    16436 0     84348      0      0      0   84348      0      0      0 LRU
> 
> I am snorting on eth0 (non promiscous). So after 12720 packets
> (10559 receiving and 2161 transmitting) I killed snort
> and as packet statistics it gave:
> Snort ran for 0 Days 12 Hours 10 Minutes 16 Seconds
> Packet analysis time averages:
> 
> Snort Analyzed 30 Packets Per Hour
> Snort Analyzed 0 Packets Per Minute
> Snort Analyzed 0 Packets Per Second
> 
> Snort received 367 packets
> Analyzed: 12715(3464.577%)
> Dropped: 0(0.000%)
> Outstanding: 4294954948(5026360781529153536.000%)
> ===============================================================================
> Breakdown by protocol:
> TCP: 3799 (29.878%)
> UDP: 736 (5.788%)
> ICMP: 189 (1.486%)
> ARP: 7991 (62.847%)
> EAPOL: 0 (0.000%)
> IPv6: 0 (0.000%)
> ETHLOOP: 0 (0.000%)
> IPX: 0 (0.000%)
> FRAG: 0 (0.000%)
> OTHER: 0 (0.000%)
> DISCARD: 0 (0.000%)
> ===============================================================================
> Action Stats:
> ALERTS: 20
> LOGGED: 20
> PASSED: 0
> ===============================================================================
> TCP Stream Reassembly Stats:
> TCP Packets Used: 3799 (29.878%)
> Stream Trackers: 164
> Stream flushes: 619
> Segments used: 1395
> Segments Queued: 1397
> Stream4 Memory Faults: 0
> ===============================================================================
> Snort exiting
> 
> This weird number also occur if I request this statistics via SIGUSR1.
> And again I will get a reasonable number of outstanding (whats are
> outstanding packets ?) if I subtract the snorts number of outstanding
> packets from 2^32 (2**32 - 4294954948 = 12348).
> 
> Any hints/clues ?
> 
> Thanks,
> 
> Andreas.
> 
> P.S.: Of course I will try the fresh and shiny new snort released
> yesterday.
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list