[Snort-users] 100% Outstanding - what does that mean?

Russ Combs rcombs at ...1935...
Mon Aug 9 16:59:52 EDT 2010


On Mon, Aug 9, 2010 at 4:47 PM, Bryan Arenal <b.arenal at ...11827...> wrote:

> On Mon, Aug 9, 2010 at 09:14, Russ Combs <rcombs at ...1935...> wrote:
> >
> >
> > On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenal at ...11827...>
> wrote:
> >>
> >> I just set up a new sensor and when checking its performance
> >> statistics, I am seeing a couple of the interfaces with Outstanding at
> >> 100%.  Here's the output from one of the interfaces:
> >>
> >> Aug  9 06:56:54 spock snort[1536]:
> >>
> >>
> ===============================================================================
> >> Aug  9 06:56:54 spock snort[1536]: Packet I/O Totals:
> >> Aug  9 06:56:54 spock snort[1536]:    Received:    202781012
> >> Aug  9 06:56:54 spock snort[1536]:    Analyzed:            0 (  0.000%)
> >> Aug  9 06:56:54 spock snort[1536]:     Dropped:            0 (  0.000%)
> >> Aug  9 06:56:54 spock snort[1536]:    Filtered:            0 (  0.000%)
> >> Aug  9 06:56:54 spock snort[1536]: Outstanding:    202781012 (100.000%)
> >> Aug  9 06:56:54 spock snort[1536]:    Injected:            0
> >> Aug  9 06:56:54 spock snort[1536]:
> >>
> >>
> ===============================================================================
> >>
> >> What exactly does that mean?  A google search shows a February email
> >> from Matt Watchinski saying, "Outstanding means that packets never got
> >> out of the ethernet card before they got dropped.  IE pcap didn't get
> >> to them before they disappeared."  But the README.counts in the 2.9.0
> >> beta documentation says "Outstanding indicates how many packets are
> >> buffered awaiting processing."  So I suppose I'm a bit confused.  If
> >> they're buffered, pcap has gotten to them, correct?  Can I see why
> >> 100% of them are buffered and not processing?
> >
> > The DAQ changes things up a little with 2.9.0.  Which DAQ are you using
> and
> > how is it configured?
>
> That was actually a test box and I haven't done any additional
> configuration to DAQ but I do see the same thing on one of my other
> machines that's running 2.8.6.1.  And CPU utilization on that snort
> process is near 0%.
>
> Aug  9 11:23:33 spock snort[13693]:
>
> ===============================================================================
> Aug  9 11:23:33 spock snort[13693]: Packet Wire Totals:
> Aug  9 11:23:33 spock snort[13693]:    Received:    149221835
> Aug  9 11:23:33 spock snort[13693]:    Analyzed:            0 (0.000%)
> Aug  9 11:23:33 spock snort[13693]:     Dropped:         2338 (0.002%)
> Aug  9 11:23:33 spock snort[13693]: Outstanding:    149219497 (99.998%)
> Aug  9 11:23:33 spock snort[13693]:
>
> ===============================================================================
>
> But other processes running on other interfaces are reporting normal
> stats.  Looks like it's just regular HTTP traffic and not a whole lot
> at that.
>

Can you send the snort command line and any DAQ config daq_*  or config
bpf_* stuff from your conf?

Also, please confirm that all your protocol breakdown counts are zero.

If you can reproduce this without a conf, you should see something like this
at start up:

$ sudo ./snort ip6
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: ip6
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.0 IPv6 GRE (Build 48)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

Can you send the equivalent?




> And thanks for the humor Justin and Marty! :-)
>
> Regards,
>
> Bryan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100809/dea095f1/attachment.html>


More information about the Snort-users mailing list