[Snort-users] Performance Monitor and "Dropped Rate" Statistic
mikelococo at ...11827...
Thu Aug 12 19:06:20 EDT 2010
The "Dropped Rate" statistics (print $2 in awk) output by the
Performance Monitor preprocessor appear to be averaged over the lifetime
of the snort process. Is there a way to get drop statistics averaged
over the PerfMon data-collection period instead?
What I've tried so far:
1) Calculating the drop rate myself based on "Total Packets
Received" (field $46), "Total Packets Dropped" (field $47), and my
knowledge of the averaging period. It's possible, but awkward
compared to the ease with which one obtains other values from
PerfMon. Since the packet-drop rate is probably the one stat most
folks want, it should be dead-easy to get.
2) Tried dumping "Percentage of Packets Dropped" (field $49). On my
Snort 2.8.6 system running kernel 2.6.18-194.3.1.el5 and libpcap
1.1.1, this field is always zero. $2 is not zero for the periods in
3) I haven't yet tried flipping the perfmon option "accumulate" vs
"reset" away from the default. After reading the manual, I'm not
sure what this option does and it takes a couple of days to generate
meaningful drop data... so I haven't tried this yet. Anyone have a
sense of what the effect of this option is?
In my opinion, snort should _by default_ average the drop rates over the
perfmon data-collection period instead of the process-lifetime. A
shorter averaging period is more useful since the data can be compared
against packet/bandwidth rates and other time-based data. It's also
less likely to mislead folks into believing that a low-average rate
means that their sensor never dropping a large fraction of packets.
More information about the Snort-users