[Snort-users] statistics, dropped packets, and counters

Todd Wease twease at ...1935...
Fri Apr 25 08:47:03 EDT 2008


Snort gets received and drop stats from libpcap (pcap_stats() function)
which in most cases gets the stats from the kernel.

For Linux, the function pcap_stats_linux() is used as the callback for
pcap_stats() and the following comment is in the libpcap 0.9.8 code:

...
*  "ps_drop" counts packets dropped because we ran

*  out of buffer space.  It doesn't count packets

*  dropped by the interface driver.  It counts only

*  packets that passed the filter.
...

Snort uses the ps_drop stat.


Jorge Cuevas wrote:
> Hi all,
> 
> I am trying to gather accurate information regarding packet lost when I 
> use snort.
> 
> The point is when I send kill -USR1 signal to snort, trying to gather 
> some statistics, the dropped packets shown here are related to snort 
> itself, or  to libpcap losts (called from snort)? Is this value reliable?
> 
> For example, ntop shows information regarding dropped packets due to 
> ntop application itself, and dropped packets from libpcap. In some 
> scenario, I am using pf_ring socket with ntop, and from 
> /proc/net/pf_ring, I can read libpcap or pf_ring dropping statistics 
> which fit exactly with those showed by ntop web interface. Does anyone 
> know from where I can read libpcap dropped statistics in a raw matter 
> similar to /proc/net/pf_ring ones when using snort and common libpcap? 
> ie, does libpcap log down any kind of basic or raw statistics? Are they 
> reliable?
> 
> And last question, what about the statistics from this commands:
> 
> ip -stats link
> cat /proc/net/dev
> 
> Are the dropped packets gather from here related in any matter to 
> dropped packets shown in snort statistics?
> 
> Any help will be much appreciate.
> 
> Thanks in advance
> 
> Jorge
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
> Don't miss this year's exciting event. There's still time to save $100. 
> Use priority code J8TL2D2. 
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list