[Snort-users] 100% Outstanding - what does that mean?

Bryan Arenal b.arenal at ...11827...
Mon Aug 9 17:25:14 EDT 2010


On Mon, Aug 9, 2010 at 14:59, Russ Combs <rcombs at ...1935...> wrote:
>
>
> On Mon, Aug 9, 2010 at 4:47 PM, Bryan Arenal <b.arenal at ...11827...> wrote:
>>
>> On Mon, Aug 9, 2010 at 09:14, Russ Combs <rcombs at ...1935...> wrote:
>> >
>> >
>> > On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenal at ...11827...>
>> > wrote:
>> >>
>> >> I just set up a new sensor and when checking its performance
>> >> statistics, I am seeing a couple of the interfaces with Outstanding at
>> >> 100%.  Here's the output from one of the interfaces:
>> >>
>> >> Aug  9 06:56:54 spock snort[1536]:
>> >>
>> >>
>> >> ===============================================================================
>> >> Aug  9 06:56:54 spock snort[1536]: Packet I/O Totals:
>> >> Aug  9 06:56:54 spock snort[1536]:    Received:    202781012
>> >> Aug  9 06:56:54 spock snort[1536]:    Analyzed:            0 (  0.000%)
>> >> Aug  9 06:56:54 spock snort[1536]:     Dropped:            0 (  0.000%)
>> >> Aug  9 06:56:54 spock snort[1536]:    Filtered:            0 (  0.000%)
>> >> Aug  9 06:56:54 spock snort[1536]: Outstanding:    202781012 (100.000%)
>> >> Aug  9 06:56:54 spock snort[1536]:    Injected:            0
>> >> Aug  9 06:56:54 spock snort[1536]:
>> >>
>> >>
>> >> ===============================================================================
>> >>
>> >> What exactly does that mean?  A google search shows a February email
>> >> from Matt Watchinski saying, "Outstanding means that packets never got
>> >> out of the ethernet card before they got dropped.  IE pcap didn't get
>> >> to them before they disappeared."  But the README.counts in the 2.9.0
>> >> beta documentation says "Outstanding indicates how many packets are
>> >> buffered awaiting processing."  So I suppose I'm a bit confused.  If
>> >> they're buffered, pcap has gotten to them, correct?  Can I see why
>> >> 100% of them are buffered and not processing?
>> >
>> > The DAQ changes things up a little with 2.9.0.  Which DAQ are you using
>> > and
>> > how is it configured?
>>
>> That was actually a test box and I haven't done any additional
>> configuration to DAQ but I do see the same thing on one of my other
>> machines that's running 2.8.6.1.  And CPU utilization on that snort
>> process is near 0%.
>>
>> Aug  9 11:23:33 spock snort[13693]:
>>
>> ===============================================================================
>> Aug  9 11:23:33 spock snort[13693]: Packet Wire Totals:
>> Aug  9 11:23:33 spock snort[13693]:    Received:    149221835
>> Aug  9 11:23:33 spock snort[13693]:    Analyzed:            0 (0.000%)
>> Aug  9 11:23:33 spock snort[13693]:     Dropped:         2338 (0.002%)
>> Aug  9 11:23:33 spock snort[13693]: Outstanding:    149219497 (99.998%)
>> Aug  9 11:23:33 spock snort[13693]:
>>
>> ===============================================================================
>>
>> But other processes running on other interfaces are reporting normal
>> stats.  Looks like it's just regular HTTP traffic and not a whole lot
>> at that.
>
> Can you send the snort command line and any DAQ config daq_*  or config
> bpf_* stuff from your conf?
>
> Also, please confirm that all your protocol breakdown counts are zero.
>
> If you can reproduce this without a conf, you should see something like this
> at start up:
>
> $ sudo ./snort ip6
> Running in packet dump mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Snort BPF option: ip6
> pcap DAQ configured to passive.
> Acquiring network traffic from "eth0".
> Decoding Ethernet
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.0 IPv6 GRE (Build 48)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 6.6 06-Feb-2006
>            Using ZLIB version: 1.2.3
>
> Can you send the equivalent?

Russ,

Thanks for the reply.  Yes, I've confirmed all proto breakdown counts
are zero and here's the output you've requested:

# snort

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.8.6.1 IPv6 (Build 39)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
           Using PCRE version: 6.6 06-Feb-2006
           Using ZLIB version: 1.2.3

snort    13693  0.6  2.2 342212 231472 ?       Rs   04:02   6:37
/usr/sbin/snort -A fast -b -d -D -i eth4 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort/eth4 -F /etc/snort/bpf_file

# cat /etc/snort/bpf_file
(vlan &&
(not host 172.16.234.34) &&
(not host 172.16.234.35) &&
(not host 172.16.234.36) &&
(not host 172.16.234.37) &&
(not host 192.168.41.49) &&
(not host 192.168.41.52) &&
(not host 192.168.41.25) &&
(not host 192.168.41.28)
)

Regards,

Bryan




More information about the Snort-users mailing list