[Snort-users] profiling

Carter Waxman (cwaxman) cwaxman at ...589...
Fri Apr 4 11:37:43 EDT 2014


Percent of total indicates the percentage of time spent in the particular
preprocessor / phase of detection. If you add all of the values together,
then you will get a value greater than 100. Processing is performed using
a hierarchy, so percent of total will include time for the layer + time
spent in sub-layers. Layer simply refers to the depth of calls. For
example, for s5TcpData, the call hierarchy is s5->s5tcp->s5TcpState (layer
0->1->2).

This should help clarify things:
https://www.snort.org/assets/163/WhitePaper_Snort_PerformanceTuning_2009.pd
f

On 4/4/14 10:43 AM, "simegnew yihunie" <syihunie at ...11827...> wrote:

>Thanks.
>do you have any idea about the column percent of total and layer
>stands for. it is more than 100 when I add all.
>Sincerely,
>Sy.
>
>On 4/3/14, Carter Waxman (cwaxman) <cwaxman at ...589...> wrote:
>> Hello,
>>
>> You are correct. All of the statistics you listed track Stream5.
>>
>> -Carter
>>
>> On 4/3/14 10:33 AM, "simegnew yihunie" <syihunie at ...11827...> wrote:
>>
>>>Hey Guys,
>>>I enabled profile enabling of preprocessors and test the snort. In the
>>>table there are s5, s5tcpState, s5tcpFlush, s5tcpProcessRebuilt,
>>>s5tcpBuildPacket, s5tcpData,s5tcpPacketInsert, s5tcpNewSess. Are all
>>>these stream preprocessors or other? Any one who have any idea about
>>>this preprocessors layer ?
>>>Sincerely,
>>>S.y
>>>
>>>------------------------------------------------------------------------
>>>--
>>>----
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>>Please visit http://blog.snort.org to stay current on all the latest
>>>Snort news!
>>
>>





More information about the Snort-users mailing list