Do you see this same type of behaviour when running for a short period
of time (5 minutes, for example)? If so, can you run a tcpdump (no
snaplen limit, no filters and writing out to a file) during the same
period? Once you have the traffic captured read back the pcap with
'-r' and see if you still get the same stats. If so, please send the
pcap to bugs@snort.org.
Thanks,
Justin
On 11/22/06, Andreas Maus <maus@ypbind.de> wrote:
> Hi.
>
> I'm running Snort Version 2.6.1 (Build 24) inline and
> don't have any problems so far.
>
> But after a look at the stats Snort generates after
> a restart (after stop) I start to think about their
> meanings. Especially the number of "Analyzed" and
> "Outstanding" packets:
>
> [... snipp ...]
> Snort ran for 0 Days 19 Hours 37 Minutes 20 Seconds
> Packet analysis time averages:
>
> Snort Analyzed 270 Packets Per Hour
> Snort Analyzed 4 Packets Per Minute
> Snort Analyzed 0 Packets Per Second
>
> Snort received 5145 packets
> Analyzed: 37793(734.558%)
> Dropped: 0(0.000%)
> Outstanding: 4294934648(358537307160051712.000%)
>
> ===============================================================================
> Breakdown by protocol:
> TCP: 23839 (63.078%)
> UDP: 3472 (9.187%)
> ICMP: 265 (0.701%)
> ARP: 10217 (27.034%)
> EAPOL: 0 (0.000%)
> IPv6: 0 (0.000%)
> ETHLOOP: 0 (0.000%)
> IPX: 0 (0.000%)
> FRAG: 0 (0.000%)
> OTHER: 0 (0.000%)
> DISCARD: 0 (0.000%)
>
> ===============================================================================
> Action Stats:
>
> [... snipp ...]
>
> O.K. no packets are dropped which is a Good Thing (tm), but where does
> the odd counters for analyzed (over 700 % ?) and outstanding packets
> (358537307160051712.000% ! *gasp*)? The number of outstanding packets
> looks strange. If I subtract the number of outstanding packets from
> 2^32 I will get a more reasonable number of 32648. Counter wrap ?
>
> Any comments/hints would be helpfull.
>
> Many thanks in advance,
>
> Andreas.
>
> P.S.: The system is running Debian 3.1 (stable) with:
> debian3164m:~# uname -a
> Linux debian3164m 2.6.8-12-amd64-k8-smp #1 SMP Tue Sep 19 01:04:26 UTC 2006
> x86_64 GNU/Linux
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
|