Re: Crazy snort packet stats

[Nerijus Krukauskas <nkrukauskas () gmail com>]

I too see this kind of statistics. Snort 2.8.5rc, libpcap 0.9.4 on
CentOS 5.3. Snort is monitoring a 100 Mbps link, which rarely goes
above 50% load.

Sep  4 08:00:43 hh snort[2644]: Packet Wire Totals:
Sep  4 08:00:43 hh snort[2644]:    Received:    143173102
Sep  4 08:00:43 hh snort[2644]:    Analyzed:    282576535 (197.367%)
Sep  4 08:00:43 hh snort[2644]:     Dropped:      1884810 (1.316%)
Sep  4 08:00:43 hh snort[2644]: Outstanding: 18446744073568263373
(12884224631501.148%)


On 2009-09-03, Ryan Jordan <ryan.jordan () sourcefire com> wrote:
> It seems to me that we missed the point where "Received" grows greater than
> 2^32. I bet this is what it's supposed to look like:
>
> Received: 6375266719 (Your current received plus 2^32)
> Analyzed: 6254554910
> Dropped:    120711785
> Outstanding:           24
>
> A couple questions to help me narrow down the problem:
> - Have you managed to reproduce this? (Not that I would expect it to happen
> twice.)
> - Which OS are you running? Version of libpcap?
> - How fast is the traffic that you're inspecting?
>
> Thanks for reporting this. I'll have to take another look at the function
> where we look for that counter wrap-around.
>
> -Ryan
>
> On Thu, Sep 3, 2009 at 11:17 AM, Billy Marshall
> <Billy.Marshall () state co us>wrote:
>
> >  Hi All,
> > Check this out please. It seems a bit weird
> >
> > Sep  3 09:07:55 xxxx snort[24051]:    Packet Wire Totals:
> > Sep  3 09:07:55 xxxx snort[24051]:    Received:   2080299423
> > Sep  3 09:07:55 xxxx snort[24051]:    Analyzed:   6254554910 (300.656%)
> > Sep  3 09:07:55 xxxx snort[24051]:    Dropped:    120711785 (5.803%)
> > Sep  3 09:07:55 xxxx snort[24051]:    Outstanding: 18446744069414584344
> > (886735047150.690%)
> >
> > xxxx:/etc/snort # snort -V
> >
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.8.4.1 (Build 38)  i386
> >    ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/team.html
> >            Copyright (C) 1998-2009 Sourcefire, Inc., et al.
> >            Using PCRE version: 6.4 05-Sep-2005
> > I am not sure what's going on with this. But, the outstanding packets are
> > at a ridiculous percentage and the analyzed packets are 3 times what has
> > been received.
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> > 30-Day
> > trial. Simplify your report design, integration and deployment - and focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list
> > archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
http://nk99.org/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users