Re: Looooots of "Outstanding" and "Analyzed" packets - counter wrap ?

["Bamm Visscher" <bamm.visscher () gmail com>]

What version of libpcap do you have installed?

Bammkkkk


On 11/22/06, Andreas Maus <maus () ypbind de> wrote:
> Hi.
>
> I'm running Snort Version 2.6.1 (Build 24) inline and
> don't have any problems so far.
>
> But after a look at the stats Snort generates after
> a restart (after stop) I start to think about their
> meanings. Especially the number of "Analyzed" and
> "Outstanding" packets:
>
> [... snipp ...]
> Snort ran for 0 Days 19 Hours 37 Minutes 20 Seconds
> Packet analysis time averages:
>
> Snort Analyzed 270 Packets Per Hour
> Snort Analyzed 4 Packets Per Minute
> Snort Analyzed 0 Packets Per Second
>
> Snort received 5145 packets
>     Analyzed: 37793(734.558%)
>     Dropped: 0(0.000%)
>     Outstanding: 4294934648(358537307160051712.000%)
>     ===============================================================================
>     Breakdown by protocol:
>       TCP: 23839      (63.078%)
>       UDP: 3472       (9.187%)
>      ICMP: 265        (0.701%)
>       ARP: 10217      (27.034%)
>     EAPOL: 0          (0.000%)
>      IPv6: 0          (0.000%)
>   ETHLOOP: 0          (0.000%)
>       IPX: 0          (0.000%)
>      FRAG: 0          (0.000%)
>     OTHER: 0          (0.000%)
>   DISCARD: 0          (0.000%)
>     ===============================================================================
>     Action Stats:
>
> [... snipp ...]
>
> O.K. no packets are dropped which is a Good Thing (tm), but where does
> the odd counters for analyzed (over 700 % ?) and outstanding packets
> (358537307160051712.000% ! *gasp*)? The number of outstanding packets
> looks strange. If I subtract the number of outstanding packets from
> 2^32 I will get a more reasonable number of 32648. Counter wrap ?
>
> Any comments/hints would be helpfull.
>
> Many thanks in advance,
>
> Andreas.
>
> P.S.: The system is running Debian 3.1 (stable) with:
> debian3164m:~# uname -a
> Linux debian3164m 2.6.8-12-amd64-k8-smp #1 SMP Tue Sep 19 01:04:26 UTC 2006 x86_64 GNU/Linux
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users