[Snort-users] 100% Outstanding - what does that mean?

Russ Combs rcombs at ...1935...
Mon Aug 9 17:30:52 EDT 2010


On Mon, Aug 9, 2010 at 5:25 PM, Bryan Arenal <b.arenal at ...11827...> wrote:

> On Mon, Aug 9, 2010 at 14:59, Russ Combs <rcombs at ...1935...> wrote:
> >
> >
> > On Mon, Aug 9, 2010 at 4:47 PM, Bryan Arenal <b.arenal at ...11827...> wrote:
> >>
> >> On Mon, Aug 9, 2010 at 09:14, Russ Combs <rcombs at ...1935...> wrote:
> >> >
> >> >
> >> > On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenal at ...11827...>
> >> > wrote:
> >> >>
> >> >> I just set up a new sensor and when checking its performance
> >> >> statistics, I am seeing a couple of the interfaces with Outstanding
> at
> >> >> 100%.  Here's the output from one of the interfaces:
> >> >>
> >> >> Aug  9 06:56:54 spock snort[1536]:
> >> >>
> >> >>
> >> >>
> ===============================================================================
> >> >> Aug  9 06:56:54 spock snort[1536]: Packet I/O Totals:
> >> >> Aug  9 06:56:54 spock snort[1536]:    Received:    202781012
> >> >> Aug  9 06:56:54 spock snort[1536]:    Analyzed:            0 (
>  0.000%)
> >> >> Aug  9 06:56:54 spock snort[1536]:     Dropped:            0 (
>  0.000%)
> >> >> Aug  9 06:56:54 spock snort[1536]:    Filtered:            0 (
>  0.000%)
> >> >> Aug  9 06:56:54 spock snort[1536]: Outstanding:    202781012
> (100.000%)
> >> >> Aug  9 06:56:54 spock snort[1536]:    Injected:            0
> >> >> Aug  9 06:56:54 spock snort[1536]:
> >> >>
> >> >>
> >> >>
> ===============================================================================
> >> >>
> >> >> What exactly does that mean?  A google search shows a February email
> >> >> from Matt Watchinski saying, "Outstanding means that packets never
> got
> >> >> out of the ethernet card before they got dropped.  IE pcap didn't get
> >> >> to them before they disappeared."  But the README.counts in the 2.9.0
> >> >> beta documentation says "Outstanding indicates how many packets are
> >> >> buffered awaiting processing."  So I suppose I'm a bit confused.  If
> >> >> they're buffered, pcap has gotten to them, correct?  Can I see why
> >> >> 100% of them are buffered and not processing?
> >> >
> >> > The DAQ changes things up a little with 2.9.0.  Which DAQ are you
> using
> >> > and
> >> > how is it configured?
> >>
> >> That was actually a test box and I haven't done any additional
> >> configuration to DAQ but I do see the same thing on one of my other
> >> machines that's running 2.8.6.1.  And CPU utilization on that snort
> >> process is near 0%.
> >>
> >> Aug  9 11:23:33 spock snort[13693]:
> >>
> >>
> ===============================================================================
> >> Aug  9 11:23:33 spock snort[13693]: Packet Wire Totals:
> >> Aug  9 11:23:33 spock snort[13693]:    Received:    149221835
> >> Aug  9 11:23:33 spock snort[13693]:    Analyzed:            0 (0.000%)
> >> Aug  9 11:23:33 spock snort[13693]:     Dropped:         2338 (0.002%)
> >> Aug  9 11:23:33 spock snort[13693]: Outstanding:    149219497 (99.998%)
> >> Aug  9 11:23:33 spock snort[13693]:
> >>
> >>
> ===============================================================================
> >>
> >> But other processes running on other interfaces are reporting normal
> >> stats.  Looks like it's just regular HTTP traffic and not a whole lot
> >> at that.
> >
> > Can you send the snort command line and any DAQ config daq_*  or config
> > bpf_* stuff from your conf?
> >
> > Also, please confirm that all your protocol breakdown counts are zero.
> >
> > If you can reproduce this without a conf, you should see something like
> this
> > at start up:
> >
> > $ sudo ./snort ip6
> > Running in packet dump mode
> >
> >         --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Snort BPF option: ip6
> > pcap DAQ configured to passive.
> > Acquiring network traffic from "eth0".
> > Decoding Ethernet
> >
> >         --== Initialization Complete ==--
> >
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.9.0 IPv6 GRE (Build 48)
> >    ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
> >            Using libpcap version 1.1.1
> >            Using PCRE version: 6.6 06-Feb-2006
> >            Using ZLIB version: 1.2.3
> >
> > Can you send the equivalent?
>
> Russ,
>
> Thanks for the reply.  Yes, I've confirmed all proto breakdown counts
> are zero and here's the output you've requested:
>
> # snort
>
>   ,,_     -*> Snort! <*-
>  o"  )~   Version 2.8.6.1 IPv6 (Build 39)
>   ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>           Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using PCRE version: 6.6 06-Feb-2006
>           Using ZLIB version: 1.2.3
>
> snort    13693  0.6  2.2 342212 231472 ?       Rs   04:02   6:37
> /usr/sbin/snort -A fast -b -d -D -i eth4 -u snort -g snort -c
> /etc/snort/snort.conf -l /var/log/snort/eth4 -F /etc/snort/bpf_file
>
> # cat /etc/snort/bpf_file
> (vlan &&
> (not host 172.16.234.34) &&
> (not host 172.16.234.35) &&
> (not host 172.16.234.36) &&
> (not host 172.16.234.37) &&
> (not host 192.168.41.49) &&
> (not host 192.168.41.52) &&
> (not host 192.168.41.25) &&
> (not host 192.168.41.28)
> )
>
> Regards,
>

Thanks ... can you send the start up part that looks something like this:

        --== Initializing Snort ==--
Initializing Output Plugins!
Snort BPF option: vlan
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Decoding Ethernet


>
> Bryan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100809/be3cb93e/attachment.html>


More information about the Snort-users mailing list