Hi.
I was asked (off-list) to provide some additional informations,
esp. the packet counters from the OS.
debian3164m:~# netstat -ni
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 413593 0 0 0 287444 0 0 0 ABMRU
lo 16436 0 78789 0 0 0 78789 0 0 0 LRU
[... several hours later ...]
debian3164m:~# netstat -ni ; pkill snort
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 424152 0 0 0 289605 0 0 0 ABMRU
lo 16436 0 84348 0 0 0 84348 0 0 0 LRU
I am snorting on eth0 (non promiscous). So after 12720 packets
(10559 receiving and 2161 transmitting) I killed snort
and as packet statistics it gave:
Snort ran for 0 Days 12 Hours 10 Minutes 16 Seconds
Packet analysis time averages:
Snort Analyzed 30 Packets Per Hour
Snort Analyzed 0 Packets Per Minute
Snort Analyzed 0 Packets Per Second
Snort received 367 packets
Analyzed: 12715(3464.577%)
Dropped: 0(0.000%)
Outstanding: 4294954948(5026360781529153536.000%)
===============================================================================
Breakdown by protocol:
TCP: 3799 (29.878%)
UDP: 736 (5.788%)
ICMP: 189 (1.486%)
ARP: 7991 (62.847%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 20
LOGGED: 20
PASSED: 0
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 3799 (29.878%)
Stream Trackers: 164
Stream flushes: 619
Segments used: 1395
Segments Queued: 1397
Stream4 Memory Faults: 0
===============================================================================
Snort exiting
This weird number also occur if I request this statistics via SIGUSR1.
And again I will get a reasonable number of outstanding (whats are
outstanding packets ?) if I subtract the snorts number of outstanding
packets from 2^32 (2**32 - 4294954948 = 12348).
Any hints/clues ?
Thanks,
Andreas.
P.S.: Of course I will try the fresh and shiny new snort released
yesterday.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|