[Snort-users] packet I/O totals

Michael Altizer mialtize at ...589...
Sun Feb 26 20:30:37 EST 2017


Which DAQ module are you using?  PCAP? Outstanding is simply Received - 
Filtered - Analyzed.  Received and Filtered counts come from the DAQ 
module while Analyzed is how many packets Snort actually saw.  The 
Dropped count represents unintentional drops at the DAQ module or 
hardware layer, usually due to overloading.  Especially with the PCAP 
module, we are at the mercy of how the underlying implementation happens 
to report those Received and Dropped statistics (opaque to the user of 
libpcap).  So it appears that the packets that are being dropped due to 
overruns are still being (double) counted by the hardware/libpcap as 
also being received.

Relevant text from the man page for pcap_stats():

"""
        A struct pcap_stat has the following members:

               ps_recv
                      number of packets received;

               ps_drop
                      number of packets dropped because there was no 
room in the operating system's buffer when they arrived, because packets 
weren't being read fast enough;

               ps_ifdrop
                      number of packets dropped by the network interface 
or its driver.

        The  statistics  do  not  behave the same way on all platforms.  
ps_recv might count packets whether they passed any filter set with 
pcap_setfilter(3PCAP) or not, or it might count only packets that pass 
the filter.  It also might, or might not, count packets dropped because 
there was no room in the operating system's buffer when they arrived.  
ps_drop is not available on all platforms;  it  is zero on platforms 
where it's not available.  If packet filtering is done in libpcap, 
rather than in the operating system, it would count packets that don't 
pass the filter.  Both ps_recv and ps_drop might, or might not, count 
packets not yet read from the operating system and thus not yet seen by 
the application.  ps_ifdrop might, or might not, be implemented; if it's 
zero, that might mean that no packets were dropped by the interface, or 
it might mean that the statistic is unavailable, so it should not be 
treated as an indication that the interface did not drop any packets.
"""

Basically, there's a whole bunch of uncertainty and we kind of try to do 
our best.

On 02/23/2017 06:58 AM, Felix Erlacher wrote:
> Hi all,
>
> I have a question regarding the Snort Packet I/O totals.
> This is what Snort tells me after i stop it with SIGTERM:
>
> Packet I/O Totals:
>     Received:      2234257
>     Analyzed:      1327128 ( 59.399%)
>      Dropped:       907129 ( 28.877%)
>     Filtered:            0 (  0.000%)
> Outstanding:       907129 ( 40.601%)
>     Injected:            0
>
> The snort manual says "Outstanding indicates how many packets are
> buffered awaiting processing" and further refers to the DAQ
> documentation. (The DAQ readme gives no Info on this behalf and I
> could't find any other DAQ docu)
> There are a few oddities here:
> The "Dropped" and "Outstanding" numbers are exactly the same, namely the
> difference between "analyzed" and "received".
> How can dropped packets be at the same time outstanding?
> Of which number is 907129 28.877%?
>
> Is the problem that I aborted Snort?
>
> I am using snort 2.9.9.0 with DAQ 2.0.6 to analyze traffic from my
> 10GBit NIC with the shipped snort.conf in IDS mode.
> BTW: There was already a similar discussion on this list, the problem
> was solved by a new DAQ. At the moment I am using the newest DAQ.
>
> thanks and greets
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list