Snort mailing list archives
Re: Performance stats
From: Jason Brvenik <jasonb () sourcefire com>
Date: Sun, 02 Oct 2005 21:11:00 -0400
The application layer stats include the reassembled traffic. It is not unusual to see nearly double the number for app layer since snort inspects both reassembled and raw data. The exact ratio will depend on the mix of TCP/UDP/ICMP traffic as well as average packet sizes and rate. sekure wrote:
I was wondering if someone could elaborate on the differences between the application layer and wire counters in Snort stats. Why would i sometimes see almost twice the application layer throughput in Mbps than on the wire? ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Performance stats sekure (Oct 02)
- Re: Performance stats Jason Brvenik (Oct 02)