[Snort-users] perfmonitor and pmgraph

Paul Melson pmelson at ...11827...
Wed Sep 20 12:39:31 EDT 2006


I'm trying to use pmgraph to analyze Snort 2.4 perfmonitor statistics.
Specifically, I am trying to troubleshoot dropped packets on a moderately
busy sensor.  

The problem I am having with the perfmonitor file is that there seem to be
some crazy values in the field that, as I understand it, is the % of dropped
packets:

(from pmgraph.pl):

    while (chomp(my @fields = split(/,/, <PERF>))) {

        my $time      = $fields[0];
        my $drops     = $fields[1];
        my $alerts    = $fields[3];
        my $kpackets  = $fields[4];
        my $avg_bytes = $fields[5];


(from my perfmonitor file via `tail -10 perfmon.out |cut -d, -f1-2`):
1158767893,7436141.591
1158767958,0.000
1158768193,0.000
1158768258,55.712
1158768495,3.262
1158768564,0.000
1158768795,0.000
1158768865,0.000
1158769096,45999421.902
1158769165,100.000

What's with the impossibly large values in the 2nd field?  How can any of
those values be larger than 100.000?

Thanks,
PaulM






More information about the Snort-users mailing list