[Oisf-users] stats.log file

Victor Julien victor at inliniac.net
Thu Feb 17 11:22:26 EST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing I was thinking is that there is a (short) delay between the
moment Suricata stops reading packets and the moment it queries pfring
for stats. During that delay we might see the drop rate increase quickly
as no packets are processed. I'm not sure if that would account for such
a big difference though...

Cheers,
Victor

On 02/15/2011 01:44 PM, Will Metcalf wrote:
> When I get the chance, I will have a look. AFAIK the PF_RING stats
> come directly from PF_RING.  Whereas the suricata stats are something
> that we calculate locally.
> 
> Regards,
> 
> Will
> 
> On Mon, Feb 14, 2011 at 2:42 AM, David Rodrigues
> <david.network.security at gmail.com> wrote:
>> Hi all,
>>
>> Regarding point 2. I would like to say that Suricata output is a bit confuse.
>>
>> I'm testing Suricata with pf-ring, so my output looks like:
>>
>> [22504] 13/2/2011 -- 23:59:01 - (source-pfring.c:313) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 3126352683,
>> bytes 6709029928781
>> [22504] 13/2/2011 -- 23:59:01 - (source-pfring.c:317) <Info>
>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring
>> Total:7701324177 Recv:7421319979 Drop:280004198 (3.6%)
>>
>> I have been running empirical tests on the network. The 3.6% drop rate
>> is definitively wrong.
>>
>> However if I divide 3126352683 (packets analyzed by Suricata) by
>> 7701324177 (total number of packets) the result is 0.41 (41%). This
>> drop rate seems to be the correct one. Can someone confirm (or not)
>> this?
>>
>> Cheers,
>>
>> David
>>
>> On Wed, Feb 9, 2011 at 11:23 PM, Victor Julien <victor at inliniac.net> wrote:
>>> On 02/09/2011 04:45 AM, ali wrote:
>>>> Hi all,
>>>>
>>>> can anybody help me to solve my questions:-
>>>>
>>>> 1. After compiling suricata, why i get two tables in stats.log file?.
>>>
>>> By default Suricata will write one "table" each 8 seconds.
>>>
>>>> 2. where can i see the packet drop/packet analysed/packet received
>>>> information?.
>>>
>>> At shutdown Suricata will print this information to the screen.
>>>
>>> Cheers,
>>> Victor
>>>
>>>>
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>>
>>>
>>> --
>>> ---------------------------------------------
>>> Victor Julien
>>> http://www.inliniac.net/
>>> PGP: http://www.inliniac.net/victorjulien.asc
>>> ---------------------------------------------
>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
> 


- -- 
- ---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
- ---------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1dS0IACgkQiSMBBAuniMf7CgCeIfduM8g6Lmj2EBGzV9ktmLtz
lz0AnjtuRzigvmenxOeO0wuaWbm2TtFG
=JzgI
-----END PGP SIGNATURE-----


More information about the Oisf-users mailing list