Re: Performance again

[Matt Kettler <mkettler () evi-inc com>]

At 10:55 AM 12/23/2003, Edin Dizdarevic wrote:
> The first question is anyway, what is actually ment by the statistics?
> It would be interessting to know, in which stages of the process a
> packet drop may occur and what is ment by the output/perfmon:
>
> 1. During the capture (and copy from the kernel to the user space)
> 2. During the preprocessing/reassembling/decoding
> 3. During the pattern matching/alerting
> 4. During the output
> 5. Other?

5. Other.

with libpcap, packets are queued into a buffer for snort to read. That 
buffer is a fixed size. When snort reads a packet, it is removed from the 
buffer and that space is freed for new packets to arrive.

If new packets arrive and the buffer is full, the old ones are dropped.

Thus, a packet drop is not something that happens within any of the above 
stages, it happens when all of 2-4 aren't completed before 1 happens again.



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users