[Oisf-users] Percentage of dropped packets

Victor Julien victor at inliniac.net
Wed May 30 07:22:03 UTC 2012 

On 05/29/2012 05:29 PM, Chris Wakelin wrote:
> Flow emergencies are probably a bad thing. It might be worth tweaking
> the timeouts.
> 
> I've been battling with tcp.reassembly_gap, which is pretty close to
> zero with PF_RING and DNA. Without DNA, Bro IDS reckoned 80% of streams
> were missing packets.
> 
> PF_RING gives some sort of drop statistics, but I think they're not
> always reliable (might depend on the network card driver). "ethtool -S"
> will tell you what the interface thought was dropped.
> 
> I've got some rough-and-ready scripts I use to try and work out what's
> going on:
> 
> 1) ethtool_stats.sh: run (as root) with something like "ethtool_stats.sh
> eth4".
> 
> There are variations in names of some of the fields between NICs, so it
> may need tweaking. You might also need to update to a more recent
> version of ethtool (http://ftp.kernel.org/pub/software/network/ethtool/).
> 
> It gives output like:
> 
>> 2012-05-29 16:21:27 - Pkts: 543763502, Lost: 0, 0/10 %, Pkts/s: 105244, Mb/s: 659, Lost/s: 0, FSize 820
>> 2012-05-29 16:21:37 - Pkts: 544835542, Lost: 0, 0/10 %, Pkts/s: 107204, Mb/s: 676, Lost/s: 0, FSize 827
> 
> 2) suricata_stats.sh: run (as anything that can read stats.log) with
> something like
> 
> tail -n +1 -F /var/log/suricata/stats.log \
>  | suricata_stats.sh decoder.pkts
> 
> (or whatever you're interested in) and gives output like:
> 
>> Date: 5/29/2012 -- 16:25:39 (uptime: 0d, 01h 28m 04s) : 8 secs, 51557 pkts/s, 332 Mb/s, 23743 gaps, 0 gaps/s    5513    10046   8883    8838    5442    12834
>> Date: 5/29/2012 -- 16:25:47 (uptime: 0d, 01h 28m 12s) : 8 secs, 54312 pkts/s, 359 Mb/s, 23751 gaps, 1 gaps/s    8407    8001    7608    7587    9817    12890
> 
> where the last six (in this case) fields are per interface/queue
> statistics for the parameter specified.

I've been putting some of this info into a new page on the wiki:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Statistics

Feel free to add and improve stuff!

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list