[Discussion] stats (was: Re: Non-tokenized preprocessor parameter lines)

Thu Feb 12 08:32:49 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Holste wrote:
> Regarding libpcap stats, to put it simply, they lie.  I'm speaking from
> Snort experince here, but when I've used router byte counters to audit
> how much traffic is going through an interface, then asked Snort how
> many MB/sec it processed, the numbers are very, very different until I
> reduce the load on the box via subnet-based BPF.  The other problem is
> that libpcap drop numbers are completely useless if you're using an
> Endace DAG card or (correct me if this is not true) running through
> iptables.  Undetected drops have been bad enough in my environment where
> I've resorted to creating specific heartbeat signatures and test for the
> absence of a signature to detect when a sensor is failing.  That's still
> far from perfect, though, as there's plenty of room for drops in the
> middle.  In any case, that tells a very different story than asking
> libpcap how many packets it's dropping.

I wonder how this could be improved. I guess the libpcap stats just
reports drop numbers the kernel gives it. Iptables itself doesn't give
drop numbers I think. Netfilter_queue (the iptables ip_queue
replacement) does, but I don't really know how reliable these numbers are...

Cheers,
Victor

- --
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmT3rAACgkQiSMBBAuniMcpxwCeIzf+gdQab8AvtYcXYiMVK8XV
VbAAnihSt4wXC/SP0g6FVPfuH+o5hxDF
=pyqE
-----END PGP SIGNATURE-----