[Oisf-users] stats.log file

David Rodrigues david.network.security at gmail.com
Thu Feb 17 12:15:31 EST 2011


No way. The difference is too big and I restart Suricata every 24h.
I'm running it on a 10 Gbps network (average traffic: 3 Gbps).

Cheers,

David

On Thu, Feb 17, 2011 at 5:22 PM, Victor Julien <victor at inliniac.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> One thing I was thinking is that there is a (short) delay between the
> moment Suricata stops reading packets and the moment it queries pfring
> for stats. During that delay we might see the drop rate increase quickly
> as no packets are processed. I'm not sure if that would account for such
> a big difference though...
>
> Cheers,
> Victor
>
> On 02/15/2011 01:44 PM, Will Metcalf wrote:
>> When I get the chance, I will have a look. AFAIK the PF_RING stats
>> come directly from PF_RING.  Whereas the suricata stats are something
>> that we calculate locally.
>>
>> Regards,
>>
>> Will
>>
>> On Mon, Feb 14, 2011 at 2:42 AM, David Rodrigues
>> <david.network.security at gmail.com> wrote:
>>> Hi all,
>>>
>>> Regarding point 2. I would like to say that Suricata output is a bit confuse.
>>>
>>> I'm testing Suricata with pf-ring, so my output looks like:
>>>
>>> [22504] 13/2/2011 -- 23:59:01 - (source-pfring.c:313) <Info>
>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Packets 3126352683,
>>> bytes 6709029928781
>>> [22504] 13/2/2011 -- 23:59:01 - (source-pfring.c:317) <Info>
>>> (ReceivePfringThreadExitStats) -- (ReceivePfring) Pfring
>>> Total:7701324177 Recv:7421319979 Drop:280004198 (3.6%)
>>>
>>> I have been running empirical tests on the network. The 3.6% drop rate
>>> is definitively wrong.
>>>
>>> However if I divide 3126352683 (packets analyzed by Suricata) by
>>> 7701324177 (total number of packets) the result is 0.41 (41%). This
>>> drop rate seems to be the correct one. Can someone confirm (or not)
>>> this?
>>>
>>> Cheers,
>>>
>>> David
>>>
>>> On Wed, Feb 9, 2011 at 11:23 PM, Victor Julien <victor at inliniac.net> wrote:
>>>> On 02/09/2011 04:45 AM, ali wrote:
>>>>> Hi all,
>>>>>
>>>>> can anybody help me to solve my questions:-
>>>>>
>>>>> 1. After compiling suricata, why i get two tables in stats.log file?.
>>>>
>>>> By default Suricata will write one "table" each 8 seconds.
>>>>
>>>>> 2. where can i see the packet drop/packet analysed/packet received
>>>>> information?.
>>>>
>>>> At shutdown Suricata will print this information to the screen.
>>>>
>>>> Cheers,
>>>> Victor
>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Oisf-users mailing list
>>>>> Oisf-users at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>>
>>>>
>>>>
>>>> --
>>>> ---------------------------------------------
>>>> Victor Julien
>>>> http://www.inliniac.net/
>>>> PGP: http://www.inliniac.net/victorjulien.asc
>>>> ---------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Oisf-users mailing list
>>>> Oisf-users at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>>
>>> _______________________________________________
>>> Oisf-users mailing list
>>> Oisf-users at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>
>
>
> - --
> - ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> - ---------------------------------------------
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk1dS0IACgkQiSMBBAuniMf7CgCeIfduM8g6Lmj2EBGzV9ktmLtz
> lz0AnjtuRzigvmenxOeO0wuaWbm2TtFG
> =JzgI
> -----END PGP SIGNATURE-----
>


More information about the Oisf-users mailing list