[Snort-users] 100% Outstanding - what does that mean?

Bryan Arenal b.arenal at ...11827...
Mon Aug 9 11:04:50 EDT 2010


I just set up a new sensor and when checking its performance
statistics, I am seeing a couple of the interfaces with Outstanding at
100%.  Here's the output from one of the interfaces:

Aug  9 06:56:54 spock snort[1536]:
===============================================================================
Aug  9 06:56:54 spock snort[1536]: Packet I/O Totals:
Aug  9 06:56:54 spock snort[1536]:    Received:    202781012
Aug  9 06:56:54 spock snort[1536]:    Analyzed:            0 (  0.000%)
Aug  9 06:56:54 spock snort[1536]:     Dropped:            0 (  0.000%)
Aug  9 06:56:54 spock snort[1536]:    Filtered:            0 (  0.000%)
Aug  9 06:56:54 spock snort[1536]: Outstanding:    202781012 (100.000%)
Aug  9 06:56:54 spock snort[1536]:    Injected:            0
Aug  9 06:56:54 spock snort[1536]:
===============================================================================

What exactly does that mean?  A google search shows a February email
from Matt Watchinski saying, "Outstanding means that packets never got
out of the ethernet card before they got dropped.  IE pcap didn't get
to them before they disappeared."  But the README.counts in the 2.9.0
beta documentation says "Outstanding indicates how many packets are
buffered awaiting processing."  So I suppose I'm a bit confused.  If
they're buffered, pcap has gotten to them, correct?  Can I see why
100% of them are buffered and not processing?

Regards,

Bryan




More information about the Snort-users mailing list