Hi,<br><br>You mention that the output of uds.py is:<br>
.....<br>
NO.200012<br>
NO.200013<br>
NO.200014<br>
NO.200015<br><br>If I understand correctly... this means that the python script received 200015 HTTP requests, the same number logged by suricata, right?<br><br>So, probably ab sent them. You could record all the packets with tcpdump -i eth0 -n -s0 -w trace.pcap tcp and then use ngrep to count them.<br>
<br>Regards,<br><br><div class="gmail_quote">On Tue, Jul 10, 2012 at 3:41 PM, Anoop Saldanha <span dir="ltr"><<a href="mailto:anoopsaldanha@gmail.com" target="_blank">anoopsaldanha@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5">On Tue, Jul 10, 2012 at 7:06 PM, Victor Julien <<a href="mailto:victor@inliniac.net">victor@inliniac.net</a>> wrote:<br>
> On 07/10/2012 07:08 AM, Delta Yeh wrote:<br>
>> Hi,<br>
>> In my test, I see the number of request logged is more than the number of ab.<br>
>> The topo is :<br>
>> ab ---- bridge(suricata,debian6) --- www<br>
>> I use ab -c 4 -n 200000 <a href="http://192.168.35.111:8079/" target="_blank">http://192.168.35.111:8079/</a> to generate http requests.<br>
>><br>
>> It is expected to get 200000 http log entry but I get 200015.<br>
>> I don't know wether ab send the additional 15 requests or someting<br>
>> wrong with suricata?<br>
>><br>
>> The http log config is:<br>
>> - http-log:<br>
>> enabled: yes<br>
>> filename: /tmp/accesslog<br>
>> extended: yes<br>
>> append: yes<br>
>> filetype: unix_dgram<br>
><br>
> Can you test with the regular http.log file output? Make it overwrite<br>
> (append: no) and do a wc -l http.log after the test. Rules out errors in<br>
> the unix_dgram connection.<br>
><br>
> Also, are you sure you're not seeing some other requests that the host<br>
> makes?<br>
><br>
> Cheers,<br>
> Victor<br>
><br>
> --<br>
> ---------------------------------------------<br>
> Victor Julien<br>
> <a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
> PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
> ---------------------------------------------<br>
><br>
><br>
><br>
> _______________________________________________<br>
> Oisf-devel mailing list<br>
> <a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
<br>
</div></div>To add to it, how many requests does the engine show at shutdown(on<br>
the console)?<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Anoop Saldanha<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
</div></div></blockquote></div><br>