[Snort-users] Performance Monitor and "Dropped Rate" Statistic

Mike Lococo mikelococo at ...11827...
Thu Aug 12 19:06:20 EDT 2010


Hi Folks,

The "Dropped Rate" statistics (print $2 in awk) output by the
Performance Monitor preprocessor appear to be averaged over the lifetime
of the snort process.  Is there a way to get drop statistics averaged
over the PerfMon data-collection period instead?

What I've tried so far:

   1) Calculating the drop rate myself based on "Total Packets
   Received" (field $46), "Total Packets Dropped" (field $47), and my
   knowledge of the averaging period.  It's possible, but awkward
   compared to the ease with which one obtains other values from
   PerfMon.  Since the packet-drop rate is probably the one stat most
   folks want, it should be dead-easy to get.

   2) Tried dumping "Percentage of Packets Dropped" (field $49).  On my
   Snort 2.8.6 system running kernel 2.6.18-194.3.1.el5 and libpcap
   1.1.1, this field is always zero.  $2 is not zero for the periods in
   question.

   3) I haven't yet tried flipping the perfmon option "accumulate" vs
   "reset" away from the default.  After reading the manual, I'm not
   sure what this option does and it takes a couple of days to generate
   meaningful drop data... so I haven't tried this yet.  Anyone have a
   sense of what the effect of this option is?

In my opinion, snort should _by default_ average the drop rates over the
perfmon data-collection period instead of the process-lifetime.  A
shorter averaging period is more useful since the data can be compared
against packet/bandwidth rates and other time-based data.  It's also
less likely to mislead folks into believing that a low-average rate
means that their sensor never dropping a large fraction of packets.

Cheers,
Mike Lococo




More information about the Snort-users mailing list