[Snort-users] Snort Stats (% Packet Loss)

Joel Esler (jesler) jesler at ...589...
Fri May 2 15:32:36 EDT 2014

You must have a line in there that shows >100%.  Usually upon start up you’ll have a line that reads like this.

On May 2, 2014, at 3:17 PM, Kurzawa, Kevin <kkurzawa at ...16800...<mailto:kkurzawa at ...16800...>> wrote:

% Packet Loss from the output of ThePigDoktah shows it over 100%. What is ThePigDoktah reading to get this output?

From: Joel Esler (jesler) [mailto:jesler at ...589...]
Sent: Friday, May 02, 2014 3:14 PM
To: Kurzawa, Kevin
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Snort Stats (% Packet Loss)

In the line you posted here, it appears you dropped 3.44% of packets for that interval.

Joel Esler
Sent from my iPhone

On May 2, 2014, at 15:09, "Kurzawa, Kevin" <kkurzawa at ...16800...<mailto:kkurzawa at ...16800...>> wrote:
I recently set up ThePigDoktah for reading the perfmonitor stats output. The % Packet Loss it is giving is confusing me though.

I set the perfmonitor to poll every 60 seconds.

Tcpdump will read 100,000 packets and not drop a single one from the interface. Even while snort is running.

I also see that the 2nd field in the stats output is the “pkt_drop_percent.” And my numbers hang around 3-5. Not >100.

Can anyone help me understand the % packet loss? Obviously I’m not dropping 100% of my packets, I’m getting alerts and whatnot. I figure I just don’t understand it.

#time,pkt_drop_percent …

Report Info:
        Processed: stats
        First Entry: Fri May  2 14:46:53 2014
        Last Entry: Fri May  2 14:58:53 2014
        Time Span: 0 days, 0 hours, 12 minutes and 0 seconds

        High: 138.603 Mbits/Sec | Fri May  2 14:55:53 2014
        Low: 99.941 Mbits/Sec | Fri May  2 14:46:53 2014
        Avg: 126.206 Mbits/Sec

% Packet Loss:
        High: 124.234% | Fri May  2 14:58:53 2014
        Low: 0.000% | Fri May  2 14:48:53 2014
        Avg: 120.063%

Additional Info:
        Avg Pkt Size: 659.974 bytes
        Avg Syns/Sec: 263.536
        Avg SynAcks/Sec: 263.990
        Avg Alerts/Sec: 0.061
        Avg Current Cached Sessions: 43037.147

"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140502/df5c7c12/attachment.html>

More information about the Snort-users mailing list