<div dir="ltr">My question was about the detect threads. Is it reasonable to assume that if N packets were decoded then N packets are scanned by the detect threads (matched against rules)?<div><br></div><div style>Thanks</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Jul 1, 2013 at 11:28 PM, Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Mon, Jul 1, 2013 at 6:56 PM, Theodore Elhourani<br>
<<a href="mailto:theodore.elhourani@gmail.com">theodore.elhourani@gmail.com</a>> wrote:<br>
> There aren't enough statistics for UDP. The stats.log file does not say how<br>
> many packets the detect threads have scanned.<br>
<br>
<br>
</div>decoder.pkts | RxPcapeth01 | 9683<br>
decoder.bytes | RxPcapeth01 | 6431276<br>
decoder.ipv4 | RxPcapeth01 | 9683<br>
decoder.ipv6 | RxPcapeth01 | 0<br>
decoder.ethernet | RxPcapeth01 | 9683<br>
decoder.raw | RxPcapeth01 | 0<br>
decoder.sll | RxPcapeth01 | 0<br>
decoder.tcp | RxPcapeth01 | 5746<br>
decoder.udp | RxPcapeth01 | 369<br>
decoder.sctp | RxPcapeth01 | 0<br>
decoder.icmpv4 | RxPcapeth01 | 0<br>
decoder.icmpv6 | RxPcapeth01 | 0<br>
decoder.ppp | RxPcapeth01 | 0<br>
decoder.pppoe | RxPcapeth01 | 0<br>
decoder.gre | RxPcapeth01 | 0<br>
decoder.vlan | RxPcapeth01 | 0<br>
decoder.teredo | RxPcapeth01 | 0<br>
decoder.ipv4_in_ipv6 | RxPcapeth01 | 0<br>
decoder.ipv6_in_ipv6 | RxPcapeth01 | 0<br>
decoder.avg_pkt_size | RxPcapeth01 | 664<br>
decoder.max_pkt_size | RxPcapeth01 | 1482<br>
<br>
You can see how many were scanned on a per thread basis in the stats.log-<br>
decoder.udp | RxPcapeth01 | 369<br>
<br>
<br>
thanks<br>
<div><div class="h5"><br>
<br>
><br>
> Thanks<br>
><br>
><br>
> On Sun, Jun 30, 2013 at 11:26 PM, Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>> wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> On Mon, Jul 1, 2013 at 3:25 AM, Theodore Elhourani<br>
>> <<a href="mailto:theodore.elhourani@gmail.com">theodore.elhourani@gmail.com</a>> wrote:<br>
>> > Hi,<br>
>> ><br>
>> > I am trying to retrieve the number of packets/traffic size the detect<br>
>> > threads scanned in a given run. For UDP-only traffic, the stats.log file<br>
>> > does not contain any stats.<br>
>><br>
>> Just to clarify - you have enabled the stats.log configuration in<br>
>> suricata.yaml and after doing a run there are no statistics written?<br>
>> (or you mean there are not enough statistics for UDP in particular)<br>
>><br>
>> Thanks<br>
>><br>
>> >Is there an alternative method for gathering<br>
>> > stats, specifically on the performance of the detect threads?<br>
>> ><br>
>> > Thank you<br>
>> > Ted<br>
>> ><br>
>> > _______________________________________________<br>
>> > Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>> > Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>
>> > <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> > List:<br>
>> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> > OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> Regards,<br>
>> Peter Manev<br>
><br>
><br>
<br>
<br>
<br>
</div></div>--<br>
Regards,<br>
Peter Manev<br>
</blockquote></div><br></div>