[Snort-users] Snort Stats (% Packet Loss)

Jaime Nebrera jnebrera at ...16842...
Sat May 3 06:33:45 EDT 2014


Hi Kevin,

As part of the Redborder.org project we have developed several tools that
might help you to solve your problem

We will place them in our GitHub repository along the next days (
www.GitHub.com/redBorder)

The first one is just a SNMP exporter of Snort performance data. This is
very interesting to monitor your Snort deployment with tools like Nagios or
Zabbix

The second one extends the first one by sending the same information as
JSON within a Kafka message

We employ the second, as upcoming redBorder 3 release expects all messages
as Kafka, but we are aware of clients using the first system to plug into a
more standardized SNMP framework

Would this help you?
El 02/05/2014 21:12, "Kurzawa, Kevin" <kkurzawa at ...16800...> escribió:

> I recently set up ThePigDoktah for reading the perfmonitor stats output.
> The % Packet Loss it is giving is confusing me though.
>
>
>
> I set the perfmonitor to poll every 60 seconds.
>
>
>
> Tcpdump will read 100,000 packets and not drop a single one from the
> interface. Even while snort is running.
>
>
>
> I also see that the 2nd field in the stats output is the
> “pkt_drop_percent.” And my numbers hang around 3-5. Not >100.
>
>
>
> Can anyone help me understand the % packet loss? Obviously I’m not
> dropping 100% of my packets, I’m getting alerts and whatnot. I figure I
> just don’t understand it.
>
>
>
> *STATS FILE*
>
> #time,pkt_drop_percent …
>
>
> 1399057133,3.444,122.361,0.050,23.119,661,319.020,256.385,256.768,253.151,174.418,47222,47223,1925.093,0,8059,0.083,0.083,0.100,0.083,0.000,0.083,1,2,0,0,1,80.034,5.322,14.644,122.361,0.002,0.002,45.504,168.489,661,1120,2415,2954,842,23.119,0.000,0.000,1.925,25.008,1387151,49474,0,106.534,124.234,21022,22424,47223,3968,16638,27592,0.000,169.384,134.317,0.000,0.000,0,0,0.000,0,0.000,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,54898083,1.150
>
>
>
> *THE PIG DOKTAH REPORT*
>
> Report Info:
>
>         Processed: stats
>
>         First Entry: Fri May  2 14:46:53 2014
>
>         Last Entry: Fri May  2 14:58:53 2014
>
>         Time Span: 0 days, 0 hours, 12 minutes and 0 seconds
>
>
>
> Wirespeed:
>
>         High: 138.603 Mbits/Sec | Fri May  2 14:55:53 2014
>
>         Low: 99.941 Mbits/Sec | Fri May  2 14:46:53 2014
>
>         Avg: 126.206 Mbits/Sec
>
>
>
> *% Packet Loss:*
>
> *        High: 124.234% | Fri May  2 14:58:53 2014*
>
> *        Low: 0.000% | Fri May  2 14:48:53 2014*
>
> *        Avg: 120.063%*
>
>
>
> Additional Info:
>
>         Avg Pkt Size: 659.974 bytes
>
>         Avg Syns/Sec: 263.536
>
>         Avg SynAcks/Sec: 263.990
>
>         Avg Alerts/Sec: 0.061
>
>         Avg Current Cached Sessions: 43037.147
>
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140503/31386f02/attachment.html>


More information about the Snort-users mailing list