[Snort-users] perfmonitor and pmgraph
pmelson at ...11827...
Tue Sep 26 11:28:14 EDT 2006
Thanks Andreas. I think my only choice is to upgrade to 2.6 and hope the
problem goes away.
In the mean time, I wound up writing a Perl script to "normalize" the drops%
field so that I can at least generate graphs that mean something. But, I
also run `kill -USR1 [pidofsnort]` every midnight and the packet loss
statistics reported by snort to syslog are not even close to the
"normalized" perfmonitor data. Looks like it's garbage all the way through.
From: Andreas Östling [mailto:andreaso at ...236...]
Sent: Monday, September 25, 2006 8:18 AM
To: Paul Melson
Subject: Re: [Snort-users] perfmonitor and pmgraph
On Wednesday 20 September 2006 18:39, Paul Melson wrote:
> I'm trying to use pmgraph to analyze Snort 2.4 perfmonitor statistics.
> Specifically, I am trying to troubleshoot dropped packets on a
> moderately busy sensor.
> The problem I am having with the perfmonitor file is that there seem
> to be some crazy values in the field that, as I understand it, is the
> % of dropped packets:
Looks like a bug in the perfmonitor preprocessor, I know it has had a few
problems like that before on some platforms. The best thing is probably to
try the latest 2.6 version.
More information about the Snort-users