[Snort-users] statistics, dropped packets, and counters
twease at ...1935...
Fri Apr 25 08:47:03 EDT 2008
Snort gets received and drop stats from libpcap (pcap_stats() function)
which in most cases gets the stats from the kernel.
For Linux, the function pcap_stats_linux() is used as the callback for
pcap_stats() and the following comment is in the libpcap 0.9.8 code:
* "ps_drop" counts packets dropped because we ran
* out of buffer space. It doesn't count packets
* dropped by the interface driver. It counts only
* packets that passed the filter.
Snort uses the ps_drop stat.
Jorge Cuevas wrote:
> Hi all,
> I am trying to gather accurate information regarding packet lost when I
> use snort.
> The point is when I send kill -USR1 signal to snort, trying to gather
> some statistics, the dropped packets shown here are related to snort
> itself, or to libpcap losts (called from snort)? Is this value reliable?
> For example, ntop shows information regarding dropped packets due to
> ntop application itself, and dropped packets from libpcap. In some
> scenario, I am using pf_ring socket with ntop, and from
> /proc/net/pf_ring, I can read libpcap or pf_ring dropping statistics
> which fit exactly with those showed by ntop web interface. Does anyone
> know from where I can read libpcap dropped statistics in a raw matter
> similar to /proc/net/pf_ring ones when using snort and common libpcap?
> ie, does libpcap log down any kind of basic or raw statistics? Are they
> And last question, what about the statistics from this commands:
> ip -stats link
> cat /proc/net/dev
> Are the dropped packets gather from here related in any matter to
> dropped packets shown in snort statistics?
> Any help will be much appreciate.
> Thanks in advance
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users