[Snort-users] perfmon avg bytes/pkt columns misaligned?

Lee Clemens snort at ...13080...
Fri Feb 27 19:59:37 EST 2009


Hello all,

I am using Snort 2.8.3.1 and 2.8.3.2 with the perfmon preprocessor and I
noticed something strange with the output while calculating R-squared values
with my drop rate.

The columns 'Avg Bytes/Pkt (wire)' (1st one) and 'Avg Bytes/Pkt (applayer)'
seem to be identical.

The second 'Avg Bytes/Pkt (wire)' is different from both of these.

The 2.8.3 manual states "Avg Bytes/Pkt (wire) [duplicated below for easy
comparison with other rates]" for the first 'Avg Bytes/Pkt'.

However, it seems to be a duplicate of 'Avg Bytes/Pkt (applayer)' instead.

Am I reading this correctly, or is the wrong value being duplicated in this
first column (column G or the first 'Avg Bytes/Pkt (wire)')?  

The second 'Avg Bytes/Pkt (wire)' seems to be correct (95% stats are less
than 'Avg Bytes/Pkt (applayer)' and never over by more than 6 pkts).

I also see 18 columns which are not described in the 2.8.3 manual, but none
of them are close to matching either of the Avg Bytes/Pkt stats.

Lee





More information about the Snort-users mailing list