[Oisf-users] Oisf-users Digest, Vol 14, Issue 2

Thu Jan 6 08:49:43 UTC 2011

Thanks Dave for the explanation. I'll definitively give pf_ring a try.
However, now that I'm looking more carefully to the output, I see that the
two lines show different results:

[10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:429) <Info>
(ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 24902042, bytes
14643147733
[10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:437) <Info>
(ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:117734236
Recv:71318162 Drop:46416074 (39.4%).

In the first line, the number of received/total(?) packets is 24902042. In
the second line the number of packets(?) is completely different: 117734236
total and 71318162 received.

Looking into the code, the first line came from tv (ThreadVars) while the
second line came from data (PcapThreadVars). However I don't understand what
is the difference between them.

Thanks,

David

On Wed, Jan 5, 2011 at 8:14 PM, Dave Remien <dave.remien at gmail.com> wrote:

>
>
> On Wed, Jan 5, 2011 at 10:00 AM, <
> oisf-users-request at openinfosecfoundation.org> wrote:
>
>
>
>>  Date: Wed, 5 Jan 2011 16:13:02 +0100
>
> From: David Rodrigues <david.network.security at gmail.com>
>> Subject: [Oisf-users] Drop rate
>> To: oisf-users at openinfosecfoundation.org
>> Message-ID:
>>        <AANLkTinXNtqV435fKCLkwASSg6=yKj2sGfKAz0aN=3h7 at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Hi all,
>>
>> First, I would like to wish a happy new year to all.
>>
>
> Happy New Year to you too!
>
>>
>> I'm having some doubts about snort statistics. I'm testing Suricata in a
>> very high speed network and I would like to have statistics about
>> performance (e.g.: drop rate).
>>
>> The drop rate I'm using is the one printed when Suricata exists. But this
>> is
>> the Pcap statistics:
>> [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:429) <Info>
>> (ReceivePcapThreadExitStats) -- (ReceivePcap) Packets 24902042, bytes
>> 14643147733
>> [10424] 5/1/2011 -- 15:21:14 - (source-pcap.c:437) <Info>
>> (ReceivePcapThreadExitStats) -- (ReceivePcap) Pcap Total:117734236
>> Recv:71318162 Drop:46416074 (39.4%).
>>
>> Does it means that it only regards Pcap? For instance, if I have a 39 drop
>> rate does it means that Suricata analyzed 61% of the traffic? Or does it
>> means that Pcap captured 61% of the packet and Suricata can still drop
>> more?
>>
>
> Suricata should have printed out how many packets it processed in the
> stats.log file, for comparison.
>
> Traditionally, especially in high traffic scenarios, the Linux pcap Drop
> numbers aren't very reliable, in that more (to many more) pkts may have been
> dropped than pcap reports. Pcapping is a best-case effort; results not
> guaranteed. Higher speed packet capture options include mem-mapped pcap and
> pf_ring.
>
>
>
>
>>  Anther question is: can I have drop statistics without shutting down.
>
>
> The pcap_stats() call could be checked at the stats report interval, and
> the results reported with the rest of the stats.
>
>
>> Suricata?
>>
>> Thanks a lot,
>>
>> David
>>
>
> Cheers,
>
> Dave
>
>
>>
>> End of Oisf-users Digest, Vol 14, Issue 2
>> *****************************************
>>
>
>
> --
> "Of course, someone who knows more about this will correct me if I'm
> wrong, and someone who knows less will correct me if I'm right."
> David Palmer (palmer at tybalt.caltech.edu)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20110106/2e49a850/attachment-0002.html>