[Snort-users] Snort Stats (% Packet Loss)

Kurzawa, Kevin kkurzawa at ...16800...
Fri May 2 15:40:37 EDT 2014


As you say, the start up is definitely the highest packet drop percentage. But even that is a peak of 26.

Here's the list of numbers from the relevant field in the stats file. Does ThePigDoktah look at other fields for this information?

$ cat stats  |cut -f 2 -d ,
pkt_drop_percent
26.447
23.215
11.228
5.466
3.789
1.807
2.918
1.583
3.296
5.213
0.401
3.142
3.444
10.505
2.058
1.267
4.113
6.268
1.432
0.896
2.468
0.356
4.884
3.609
0.765
1.150
3.100
3.049
1.798
2.976
1.395
8.574
12.834
9.475
6.947
11.643
10.214
4.720
2.089
1.259
6.927
18.875
12.649
10.645
4.849
7.381
3.539
5.326


From: Joel Esler (jesler) [mailto:jesler at ...589...]
Sent: Friday, May 02, 2014 3:33 PM
To: Kurzawa, Kevin
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Stats (% Packet Loss)

You must have a line in there that shows >100%.  Usually upon start up you'll have a line that reads like this.


On May 2, 2014, at 3:17 PM, Kurzawa, Kevin <kkurzawa at ...16800...<mailto:kkurzawa at ...16800...>> wrote:


% Packet Loss from the output of ThePigDoktah shows it over 100%. What is ThePigDoktah reading to get this output?



From: Joel Esler (jesler) [mailto:jesler at ...589...]
Sent: Friday, May 02, 2014 3:14 PM
To: Kurzawa, Kevin
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Snort Stats (% Packet Loss)

In the line you posted here, it appears you dropped 3.44% of packets for that interval.



--
Joel Esler
Sent from my iPhone

On May 2, 2014, at 15:09, "Kurzawa, Kevin" <kkurzawa at ...16800...<mailto:kkurzawa at ...16800...>> wrote:
I recently set up ThePigDoktah for reading the perfmonitor stats output. The % Packet Loss it is giving is confusing me though.

I set the perfmonitor to poll every 60 seconds.

Tcpdump will read 100,000 packets and not drop a single one from the interface. Even while snort is running.

I also see that the 2nd field in the stats output is the "pkt_drop_percent." And my numbers hang around 3-5. Not >100.

Can anyone help me understand the % packet loss? Obviously I'm not dropping 100% of my packets, I'm getting alerts and whatnot. I figure I just don't understand it.

STATS FILE
#time,pkt_drop_percent ...
1399057133,3.444,122.361,0.050,23.119,661,319.020,256.385,256.768,253.151,174.418,47222,47223,1925.093,0,8059,0.083,0.083,0.100,0.083,0.000,0.083,1,2,0,0,1,80.034,5.322,14.644,122.361,0.002,0.002,45.504,168.489,661,1120,2415,2954,842,23.119,0.000,0.000,1.925,25.008,1387151,49474,0,106.534,124.234,21022,22424,47223,3968,16638,27592,0.000,169.384,134.317,0.000,0.000,0,0,0.000,0,0.000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54898083,1.150

THE PIG DOKTAH REPORT
Report Info:
        Processed: stats
        First Entry: Fri May  2 14:46:53 2014
        Last Entry: Fri May  2 14:58:53 2014
        Time Span: 0 days, 0 hours, 12 minutes and 0 seconds

Wirespeed:
        High: 138.603 Mbits/Sec | Fri May  2 14:55:53 2014
        Low: 99.941 Mbits/Sec | Fri May  2 14:46:53 2014
        Avg: 126.206 Mbits/Sec

% Packet Loss:
        High: 124.234% | Fri May  2 14:58:53 2014
        Low: 0.000% | Fri May  2 14:48:53 2014
        Avg: 120.063%

Additional Info:
        Avg Pkt Size: 659.974 bytes
        Avg Syns/Sec: 263.536
        Avg SynAcks/Sec: 263.990
        Avg Alerts/Sec: 0.061
        Avg Current Cached Sessions: 43037.147

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140502/fab05a33/attachment.html>


More information about the Snort-users mailing list