Snort mailing list archives

Snort PerfMon preprocessor output

From: "Basselgia, Barry A Mr (NAF Atsugi)" <BABasselgia () atsugi navy mil>
Date: Thu, 21 Oct 2004 17:00:25 +0900
I'm trying to figure out how to gage the performance on my snort sensor.  I
have the perfmonitor preprocessor configured with the below line in my
snort.conf file.

preprocessor perfmonitor: time 60 events flow file
/var/log/snort/snort.stats pktcnt 50

I was using the perfmon-graph.pl file to generate charts from the file.  But
the charts don't seem to match observed performance.  The first thing that
appears to be strange is in % Packets Dropped data.  If I'm not mistaken,
it's the second field in the snort.stats file, the time stamp being the
first field.  It is regularly recording that the % Packets Dropped is
greater then 100, is some instances much much greater then 100.  I'll
include sample data below.

Is there any more info on the perfmonitor preprocessor, other then what's in
the snort_manual.pdf file?  Anybody have any idea why it claims I'm dropping
Billions % packets.

snort:/var/log/snort # more snort.stats
1098299821,0.000,0.1,0.0,0.0,469,83.59,0.5,0.5,0.5,0.4,11,15,0.7,0,2,0.0,0.0
,0.0,0.0,0,0,0.1,0.0,99.9
1098299895,3.876,0.1,0.0,0.0,507,94.00,0.8,0.8,0.8,0.8,10,15,1.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.0,99.6
1098299959,4145335746901022720.000,0.2,0.0,0.0,527,90.05,0.9,0.9,0.9,0.9,13,
15,1.8,0,2,0.0,0.0,0.0,0.0,0,0,0.3,0.0,99.6
1098300022,32.718,0.2,0.0,0.1,280,73.48,0.7,0.7,0.7,0.8,9,16,1.1,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300082,100.000,0.2,0.0,0.0,476,87.77,0.9,0.9,0.9,0.8,19,19,2.2,0,2,0.0,0
.0,0.0,0.0,0,0,0.2,0.1,99.7
1098300144,534533296833078848.000,0.6,0.0,0.1,638,88.10,2.8,2.8,2.9,2.9,15,2
1,5.6,0,2,0.0,0.0,0.0,0.0,0,0,0.7,0.2,99.2
1098300206,0.000,0.2,0.0,0.1,532,84.87,1.7,1.7,1.7,1.8,11,21,3.2,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.7
1098300270,0.000,0.2,0.0,0.0,660,108.07,1.2,1.2,1.2,1.1,15,21,2.4,0,2,0.0,0.
0,0.0,0.0,0,0,0.7,0.1,99.2
1098300342,15.919,0.3,0.0,0.1,366,87.41,1.3,1.3,1.3,1.4,10,25,2.5,0,3,0.0,0.
0,0.0,0.0,0,0,0.5,0.1,99.5
1098300416,100.000,0.3,0.0,0.1,590,87.64,0.9,0.9,0.9,0.9,8,25,1.7,0,2,0.0,0.
0,0.0,0.0,0,0,0.3,0.1,99.6
1098300483,100.000,0.2,0.0,0.0,515,85.02,0.7,0.7,0.7,0.7,13,25,1.2,0,2,0.0,0
.0,0.0,0.0,0,0,0.2,0.1,99.8
1098300551,0.000,0.3,0.0,0.1,477,83.42,2.5,2.5,2.6,2.5,15,25,4.6,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300613,2.852,0.5,0.0,0.1,462,85.56,2.2,2.2,2.3,2.2,17,25,4.0,0,2,0.0,0.0
,0.0,0.0,0,0,0.7,0.2,99.1
1098300675,100.000,0.4,0.0,0.1,549,86.72,0.8,0.8,0.8,1.0,9,25,1.6,0,2,0.0,0.
0,0.0,0.0,0,0,0.4,0.1,99.5
1098300741,0.000,0.3,0.0,0.1,550,85.84,1.7,1.7,1.7,1.6,14,25,2.6,0,2,0.0,0.0
,0.0,0.0,0,0,0.3,0.1,99.6
1098300813,0.000,0.1,0.0,0.0,321,84.21,1.3,1.3,1.3,1.3,13,25,3.2,0,3,0.0,0.0
,0.0,0.0,0,0,0.2,0.0,99.8
1098300880,0.000,0.2,0.0,0.1,476,89.38,1.9,1.9,1.9,1.9,13,25,4.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.4,0.1,99.5
1098300944,18.444,0.3,0.0,0.1,298,75.11,1.5,1.5,1.5,1.6,11,25,3.4,0,2,0.0,0.
0,0.0,0.0,0,0,0.3,0.1,99.6
1098301018,100.000,0.1,0.0,0.0,619,133.61,1.2,1.2,1.3,1.3,15,25,3.5,0,2,0.0,
0.0,0.0,0.0,0,0,1.4,0.0,98.6
1098301097,100.000,0.1,0.0,0.0,292,77.05,1.1,1.1,1.1,1.2,10,25,2.9,0,3,0.0,0
.0,0.0,0.0,0,0,0.1,0.0,99.8
1098301175,0.000,0.1,0.0,0.0,367,81.32,1.0,1.0,1.0,1.0,6,25,2.7,0,2,0.0,0.0,
0.0,0.0,0,0,0.1,0.0,99.9
1098301239,12.576,0.4,0.0,0.1,382,81.06,1.9,1.9,2.0,1.8,17,25,4.1,0,2,0.0,0.
0,0.0,0.0,0,0,0.6,0.1,99.3
1098301311,100.000,0.2,0.0,0.1,550,90.52,1.5,1.5,1.5,1.6,7,25,4.0,0,3,0.0,0.
0,0.0,0.0,0,0,0.4,0.1,99.5
1098301373,0.000,0.2,0.0,0.0,486,85.79,1.5,1.5,1.5,1.5,8,25,3.7,0,2,0.0,0.0,
0.0,0.0,0,0,0.3,0.0,99.7
1098301442,0.000,0.2,0.0,0.0,459,84.36,1.5,1.5,1.5,1.5,12,25,3.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.2,0.0,99.8
1098301502,0.000,0.4,0.0,0.1,491,86.14,2.0,2.0,2.1,2.1,12,25,4.7,0,2,0.0,0.0
,0.0,0.0,0,0,0.6,0.1,99.3
1098301574,69.776,0.3,0.0,0.1,363,83.81,1.5,1.5,1.5,1.5,12,25,3.6,0,2,0.0,0.
0,0.0,0.0,0,0,0.6,0.1,99.3
1098301636,100.000,0.1,0.0,0.0,331,96.05,1.2,1.2,1.2,1.3,11,25,3.3,0,2,0.0,0
.0,0.0,0.0,0,0,0.3,0.0,99.7
1098301702,794091436664208000.000,0.2,0.0,0.1,404,90.60,1.7,1.7,1.8,1.7,16,2
5,4.0,0,2,0.0,0.0,0.0,0.0,0,0,0.5,0.1,99.5
1098301763,100.000,0.2,0.0,0.1,404,88.06,1.4,1.4,1.4,1.4,14,25,3.7,0,2,0.0,0
.0,0.0,0.0,0,0,0.5,0.1,99.5
1098301825,7.348,0.5,0.0,0.2,384,81.74,2.5,2.5,2.7,2.6,20,27,5.5,0,2,0.0,0.0
,0.0,0.0,0,0,0.9,0.2,99.0
1098301885,100.000,0.2,0.0,0.1,390,81.39,1.8,1.8,1.9,1.9,17,27,4.3,0,2,0.0,0
.0,0.0,0.0,0,0,0.4,0.1,99.5


---------------------------------------------------------
This message has been scanned for viruses and dangerous
content by the NAF Atsugi MailScanner.




-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 21)
- <Possible follow-ups>
- RE: Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 21)
  - Re: RE: Snort PerfMon preprocessor output sekure (Oct 22)
- RE: RE: Snort PerfMon preprocessor output Basselgia, Barry A Mr (NAF Atsugi) (Oct 23)