[Snort-users] packet I/O totals
mialtize at ...589...
Sun Feb 26 20:30:37 EST 2017
Which DAQ module are you using? PCAP? Outstanding is simply Received -
Filtered - Analyzed. Received and Filtered counts come from the DAQ
module while Analyzed is how many packets Snort actually saw. The
Dropped count represents unintentional drops at the DAQ module or
hardware layer, usually due to overloading. Especially with the PCAP
module, we are at the mercy of how the underlying implementation happens
to report those Received and Dropped statistics (opaque to the user of
libpcap). So it appears that the packets that are being dropped due to
overruns are still being (double) counted by the hardware/libpcap as
also being received.
Relevant text from the man page for pcap_stats():
A struct pcap_stat has the following members:
number of packets received;
number of packets dropped because there was no
room in the operating system's buffer when they arrived, because packets
weren't being read fast enough;
number of packets dropped by the network interface
or its driver.
The statistics do not behave the same way on all platforms.
ps_recv might count packets whether they passed any filter set with
pcap_setfilter(3PCAP) or not, or it might count only packets that pass
the filter. It also might, or might not, count packets dropped because
there was no room in the operating system's buffer when they arrived.
ps_drop is not available on all platforms; it is zero on platforms
where it's not available. If packet filtering is done in libpcap,
rather than in the operating system, it would count packets that don't
pass the filter. Both ps_recv and ps_drop might, or might not, count
packets not yet read from the operating system and thus not yet seen by
the application. ps_ifdrop might, or might not, be implemented; if it's
zero, that might mean that no packets were dropped by the interface, or
it might mean that the statistic is unavailable, so it should not be
treated as an indication that the interface did not drop any packets.
Basically, there's a whole bunch of uncertainty and we kind of try to do
On 02/23/2017 06:58 AM, Felix Erlacher wrote:
> Hi all,
> I have a question regarding the Snort Packet I/O totals.
> This is what Snort tells me after i stop it with SIGTERM:
> Packet I/O Totals:
> Received: 2234257
> Analyzed: 1327128 ( 59.399%)
> Dropped: 907129 ( 28.877%)
> Filtered: 0 ( 0.000%)
> Outstanding: 907129 ( 40.601%)
> Injected: 0
> The snort manual says "Outstanding indicates how many packets are
> buffered awaiting processing" and further refers to the DAQ
> documentation. (The DAQ readme gives no Info on this behalf and I
> could't find any other DAQ docu)
> There are a few oddities here:
> The "Dropped" and "Outstanding" numbers are exactly the same, namely the
> difference between "analyzed" and "received".
> How can dropped packets be at the same time outstanding?
> Of which number is 907129 28.877%?
> Is the problem that I aborted Snort?
> I am using snort 18.104.22.168 with DAQ 2.0.6 to analyze traffic from my
> 10GBit NIC with the shipped snort.conf in IDS mode.
> BTW: There was already a similar discussion on this list, the problem
> was solved by a new DAQ. At the moment I am using the newest DAQ.
> thanks and greets
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users