Re: [Snort-users] statistics, dropped packets, and counters
This is a discussion on Re: [Snort-users] statistics, dropped packets, and counters within the Snort forums, part of the System Security and Security Related category; Snort gets received and drop stats from libpcap (pcap_stats() function) which in most cases gets the stats from the kernel. ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-25-2008
|
|||
|
|||
Re: [Snort-users] statistics, dropped packets, and counters
Snort gets received and drop stats from libpcap (pcap_stats() function)
which in most cases gets the stats from the kernel. For Linux, the function pcap_stats_linux() is used as the callback for pcap_stats() and the following comment is in the libpcap 0.9.8 code: .... * "ps_drop" counts packets dropped because we ran * out of buffer space. It doesn't count packets * dropped by the interface driver. It counts only * packets that passed the filter. .... Snort uses the ps_drop stat. Jorge Cuevas wrote: > Hi all, > > I am trying to gather accurate information regarding packet lost when I > use snort. > > The point is when I send kill -USR1 signal to snort, trying to gather > some statistics, the dropped packets shown here are related to snort > itself, or to libpcap losts (called from snort)? Is this value reliable? > > For example, ntop shows information regarding dropped packets due to > ntop application itself, and dropped packets from libpcap. In some > scenario, I am using pf_ring socket with ntop, and from > /proc/net/pf_ring, I can read libpcap or pf_ring dropping statistics > which fit exactly with those showed by ntop web interface. Does anyone > know from where I can read libpcap dropped statistics in a raw matter > similar to /proc/net/pf_ring ones when using snort and common libpcap? > ie, does libpcap log down any kind of basic or raw statistics? Are they > reliable? > > And last question, what about the statistics from this commands: > > ip -stats link > cat /proc/net/dev > > Are the dropped packets gather from here related in any matter to > dropped packets shown in snort statistics? > > Any help will be much appreciate. > > Thanks in advance > > Jorge > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757...un.com/javaone > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757...un.com/javaone _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 05:51 AM.
