[Snort-users] Snort Stats (% Packet Loss)

Kurzawa, Kevin kkurzawa at ...16800...
Fri May 2 15:05:28 EDT 2014


I recently set up ThePigDoktah for reading the perfmonitor stats output. The % Packet Loss it is giving is confusing me though.

I set the perfmonitor to poll every 60 seconds.

Tcpdump will read 100,000 packets and not drop a single one from the interface. Even while snort is running.

I also see that the 2nd field in the stats output is the "pkt_drop_percent." And my numbers hang around 3-5. Not >100.

Can anyone help me understand the % packet loss? Obviously I'm not dropping 100% of my packets, I'm getting alerts and whatnot. I figure I just don't understand it.

STATS FILE
#time,pkt_drop_percent ...
1399057133,3.444,122.361,0.050,23.119,661,319.020,256.385,256.768,253.151,174.418,47222,47223,1925.093,0,8059,0.083,0.083,0.100,0.083,0.000,0.083,1,2,0,0,1,80.034,5.322,14.644,122.361,0.002,0.002,45.504,168.489,661,1120,2415,2954,842,23.119,0.000,0.000,1.925,25.008,1387151,49474,0,106.534,124.234,21022,22424,47223,3968,16638,27592,0.000,169.384,134.317,0.000,0.000,0,0,0.000,0,0.000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54898083,1.150

THE PIG DOKTAH REPORT
Report Info:
        Processed: stats
        First Entry: Fri May  2 14:46:53 2014
        Last Entry: Fri May  2 14:58:53 2014
        Time Span: 0 days, 0 hours, 12 minutes and 0 seconds

Wirespeed:
        High: 138.603 Mbits/Sec | Fri May  2 14:55:53 2014
        Low: 99.941 Mbits/Sec | Fri May  2 14:46:53 2014
        Avg: 126.206 Mbits/Sec

% Packet Loss:
        High: 124.234% | Fri May  2 14:58:53 2014
        Low: 0.000% | Fri May  2 14:48:53 2014
        Avg: 120.063%

Additional Info:
        Avg Pkt Size: 659.974 bytes
        Avg Syns/Sec: 263.536
        Avg SynAcks/Sec: 263.990
        Avg Alerts/Sec: 0.061
        Avg Current Cached Sessions: 43037.147

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140502/c94ac7c4/attachment.html>


More information about the Snort-users mailing list