[Snort-users] profiling

Carter Waxman (cwaxman) cwaxman at ...589...
Fri Apr 4 11:37:43 EDT 2014

Percent of total indicates the percentage of time spent in the particular
preprocessor / phase of detection. If you add all of the values together,
then you will get a value greater than 100. Processing is performed using
a hierarchy, so percent of total will include time for the layer + time
spent in sub-layers. Layer simply refers to the depth of calls. For
example, for s5TcpData, the call hierarchy is s5->s5tcp->s5TcpState (layer

This should help clarify things:

On 4/4/14 10:43 AM, "simegnew yihunie" <syihunie at ...11827...> wrote:

>do you have any idea about the column percent of total and layer
>stands for. it is more than 100 when I add all.
>On 4/3/14, Carter Waxman (cwaxman) <cwaxman at ...589...> wrote:
>> Hello,
>> You are correct. All of the statistics you listed track Stream5.
>> -Carter
>> On 4/3/14 10:33 AM, "simegnew yihunie" <syihunie at ...11827...> wrote:
>>>Hey Guys,
>>>I enabled profile enabling of preprocessors and test the snort. In the
>>>table there are s5, s5tcpState, s5tcpFlush, s5tcpProcessRebuilt,
>>>s5tcpBuildPacket, s5tcpData,s5tcpPacketInsert, s5tcpNewSess. Are all
>>>these stream preprocessors or other? Any one who have any idea about
>>>this preprocessors layer ?
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>Snort-users list archive:
>>>Please visit http://blog.snort.org to stay current on all the latest
>>>Snort news!

More information about the Snort-users mailing list