[Oisf-users] Oisf-users Digest, Vol 14, Issue 2

Dave Remien dave.remien at gmail.com
Wed Jan 5 19:14:48 UTC 2011

On Wed, Jan 5, 2011 at 10:00 AM, <
oisf-users-request at openinfosecfoundation.org> wrote:

>  Date: Wed, 5 Jan 2011 16:13:02 +0100

From: David Rodrigues <david.network.security at gmail.com>
> Subject: [Oisf-users] Drop rate
> To: oisf-users at openinfosecfoundation.org
> Message-ID:
>        <AANLkTinXNtqV435fKCLkwASSg6=yKj2sGfKAz0aN=3h7 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> Hi all,
> First, I would like to wish a happy new year to all.

Happy New Year to you too!

> I'm having some doubts about snort statistics. I'm testing Suricata in a
> very high speed network and I would like to have statistics about
> performance (e.g.: drop rate).
> The drop rate I'm using is the one printed when Suricata exists. But this
> is
> the Pcap statistics:
> [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:429) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 24902042, bytes
> 14643147733
> [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:437) <Info>
> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:117734236
> Recv:71318162 Drop:46416074 (39.4%).
> Does it means that it only regards Pcap? For instance, if I have a 39 drop
> rate does it means that Suricata analyzed 61% of the traffic? Or does it
> means that Pcap captured 61% of the packet and Suricata can still drop
> more?

Suricata should have printed out how many packets it processed in the
stats.log file, for comparison.

Traditionally, especially in high traffic scenarios, the Linux pcap Drop
numbers aren't very reliable, in that more (to many more) pkts may have been
dropped than pcap reports. Pcapping is a best-case effort; results not
guaranteed. Higher speed packet capture options include mem-mapped pcap and

>  Anther question is: can I have drop statistics without shutting down.

The pcap_stats() call could be checked at the stats report interval, and the
results reported with the rest of the stats.

> Suricata?
> Thanks a lot,
> David



> End of Oisf-users Digest, Vol 14, Issue 2
> *****************************************

"Of course, someone who knows more about this will correct me if I'm
wrong, and someone who knows less will correct me if I'm right."
David Palmer (palmer at tybalt.caltech.edu)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110105/8c30bdeb/attachment-0002.html>

More information about the Oisf-users mailing list