Re: Snort performance output strangeness?

[Jimmy Crackcorn <jimmy.cr4ckc0rn () gmail com>]

Interesting.  I've got PF_RING enabled as Jason mentioned but I'm
running libpcap 1.0.  It is CentOS so it's possible that the patch
somehow is still managing to mangle things.  Do you guys at SF run
PF_RING and if so, do you see the same stats?

Thanks for the responses!

On Tue, Jul 20, 2010 at 15:56, Ryan Jordan <ryan.jordan () sourcefire com> wrote:
> This is a common bug when using Red Hat's version of libpcap 0.9.4.
> The original had a bug in the received count, and Snort had a
> workaround. Then Red Hat backported the bugfix to libpcap 0.9.4
> instead of shipping 0.9.5, screwing up our workaround and causing the
> stats you see.
>
> Short version: upgrade libpcap.
>
> -Ryan
>
> On Tue, Jul 20, 2010 at 5:12 PM, Jason Wallace
> <jason.r.wallace () gmail com> wrote:
> > Are you using a PF_Ring enabled libpcap? I've seen that happen when
> > using PF_Ring.
> >
> > Wally
> >
> > On Tue, Jul 20, 2010 at 1:32 PM, Jimmy Crackcorn
> > <jimmy.cr4ckc0rn () gmail com> wrote:
> > > Hi,
> > >
> > > When I do a 'kill -USR1 <pid>' to see the performance stats on one of
> > > my snort processes (2.8.5.3), I see the following:
> > >
> > > Jul 20 17:19:22 localhost snort[2296]:
> > > ===============================================================================
> > > Jul 20 17:19:22 localhost snort[2296]: Packet Wire Totals:
> > > Jul 20 17:19:22 localhost snort[2296]:    Received:    706180384
> > > Jul 20 17:19:22 localhost snort[2296]:    Analyzed:   1359324466 (192.490%)
> > > Jul 20 17:19:22 localhost snort[2296]:     Dropped:     26517651 (3.755%)
> > > Jul 20 17:19:22 localhost snort[2296]: Outstanding:
> > > 18446744073029889883 (2612185850949.648%)
> > > Jul 20 17:19:22 localhost snort[2296]:
> > > ===============================================================================
> > >
> > > The percentages are leaving me scratching my head (especially
> > > "Outstanding").  Can anyone enlighten me?
> > >
> > > Cheers
> > >
> > > ------------------------------------------------------------------------------
> > > This SF.net email is sponsored by Sprint
> > > What will you do first with EVO, the first 4G phone?
> > > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > ------------------------------------------------------------------------------
> > This SF.net email is sponsored by Sprint
> > What will you do first with EVO, the first 4G phone?
> > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users