[Snort-users] perfmonitor and pmgraph

Paul Melson pmelson at ...11827...
Tue Sep 26 11:28:14 EDT 2006


Thanks Andreas.  I think my only choice is to upgrade to 2.6 and hope the
problem goes away.

In the mean time, I wound up writing a Perl script to "normalize" the drops%
field so that I can at least generate graphs that mean something.  But, I
also run `kill -USR1 [pidofsnort]` every midnight and the packet loss
statistics reported by snort to syslog are not even close to the
"normalized" perfmonitor data.  Looks like it's garbage all the way through.
:-\

PaulM 


-----Original Message-----
From: Andreas Östling [mailto:andreaso at ...236...] 
Sent: Monday, September 25, 2006 8:18 AM
To: Paul Melson
Subject: Re: [Snort-users] perfmonitor and pmgraph

On Wednesday 20 September 2006 18:39, Paul Melson wrote:
> I'm trying to use pmgraph to analyze Snort 2.4 perfmonitor statistics. 
> Specifically, I am trying to troubleshoot dropped packets on a 
> moderately busy sensor.
>
> The problem I am having with the perfmonitor file is that there seem 
> to be some crazy values in the field that, as I understand it, is the 
> % of dropped packets:

Looks like a bug in the perfmonitor preprocessor, I know it has had a few
problems like that before on some platforms. The best thing is probably to
try the latest 2.6 version.

/Andreas





More information about the Snort-users mailing list