[Snort-users] Snort dropping more packets than it received

Scott Finlon scott.finlon at ...15821...
Wed Sep 12 11:19:43 EDT 2012


I just installed Snort to run on 8 instances via PF_RING DNA, and whenever I dump the stats via kill -usr1 or end the processes the numbers just don't add up.
Is this an issue with the way Snort is adding, or could it be something else?

Sep 12 09:27:45 xxxx snort[6727]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6727]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6727]:    Received:     45655984
Sep 12 09:27:45 xxxx snort[6727]:    Analyzed:     45655984 (100.000%)
Sep 12 09:27:45 xxxx snort[6727]:     Dropped:     46954650 ( 50.701%)
Sep 12 09:27:45 xxxx snort[6727]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6727]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6727]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6727]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6718]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6718]: Packet I/O Totals:
Sep 12 09:27:44 xxxx snort[6718]:    Received:     37025357
Sep 12 09:27:44 xxxx snort[6718]:    Analyzed:     37025357 (100.000%)
Sep 12 09:27:44 xxxx snort[6718]:     Dropped:     52133522 ( 58.473%)
Sep 12 09:27:44 xxxx snort[6718]:    Filtered:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6718]: Outstanding:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6718]:    Injected:            0
Sep 12 09:27:44 xxxx snort[6718]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6709]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6709]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6709]:    Received:     44085744
Sep 12 09:27:45 xxxx snort[6709]:    Analyzed:     44085744 (100.000%)
Sep 12 09:27:45 xxxx snort[6709]:     Dropped:     42766248 ( 49.240%)
Sep 12 09:27:45 xxxx snort[6709]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6709]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6709]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6709]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6700]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6700]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6700]:    Received:     37680008
Sep 12 09:27:45 xxxx snort[6700]:    Analyzed:     37680008 (100.000%)
Sep 12 09:27:45 xxxx snort[6700]:     Dropped:     61853368 ( 62.143%)
Sep 12 09:27:45 xxxx snort[6700]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6700]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6700]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6700]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6691]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6691]: Packet I/O Totals:
Sep 12 09:27:44 xxxx snort[6691]:    Received:     39290934
Sep 12 09:27:44 xxxx snort[6691]:    Analyzed:     39290934 (100.000%)
Sep 12 09:27:44 xxxx snort[6691]:     Dropped:     68707395 ( 63.619%)
Sep 12 09:27:44 xxxx snort[6691]:    Filtered:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6691]: Outstanding:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6691]:    Injected:            0
Sep 12 09:27:44 xxxx snort[6691]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6682]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6682]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6682]:    Received:     38398293
Sep 12 09:27:45 xxxx snort[6682]:    Analyzed:     38398293 (100.000%)
Sep 12 09:27:45 xxxx snort[6682]:     Dropped:     58069741 ( 60.196%)
Sep 12 09:27:45 xxxx snort[6682]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6682]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6682]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6682]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6673]: ===============================================================================
Sep 12 09:27:44 xxxx snort[6673]: Packet I/O Totals:
Sep 12 09:27:44 xxxx snort[6673]:    Received:     34303570
Sep 12 09:27:44 xxxx snort[6673]:    Analyzed:     34303570 (100.000%)
Sep 12 09:27:44 xxxx snort[6673]:     Dropped:     57869774 ( 62.784%)
Sep 12 09:27:44 xxxx snort[6673]:    Filtered:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6673]: Outstanding:            0 (  0.000%)
Sep 12 09:27:44 xxxx snort[6673]:    Injected:            0
Sep 12 09:27:44 xxxx snort[6673]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6664]: ===============================================================================
Sep 12 09:27:45 xxxx snort[6664]: Packet I/O Totals:
Sep 12 09:27:45 xxxx snort[6664]:    Received:     40875927
Sep 12 09:27:45 xxxx snort[6664]:    Analyzed:     40875927 (100.000%)
Sep 12 09:27:45 xxxx snort[6664]:     Dropped:     56738978 ( 58.125%)
Sep 12 09:27:45 xxxx snort[6664]:    Filtered:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6664]: Outstanding:            0 (  0.000%)
Sep 12 09:27:45 xxxx snort[6664]:    Injected:            0
Sep 12 09:27:45 xxxx snort[6664]: ===============================================================================

Scott Finlon
-----------------------------------
Information Security Engineer
The University of Scranton
email : finlons2 at ...15821...
phone : 570-941-6168
-----------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120912/0d7d26fc/attachment.html>


More information about the Snort-users mailing list