[Oisf-users] detect engine stats
Theodore Elhourani
theodore.elhourani at gmail.com
Fri Jul 5 00:04:10 UTC 2013
My question was about the detect threads. Is it reasonable to assume that
if N packets were decoded then N packets are scanned by the detect threads
(matched against rules)?
Thanks
On Mon, Jul 1, 2013 at 11:28 PM, Peter Manev <petermanev at gmail.com> wrote:
> On Mon, Jul 1, 2013 at 6:56 PM, Theodore Elhourani
> <theodore.elhourani at gmail.com> wrote:
> > There aren't enough statistics for UDP. The stats.log file does not say
> how
> > many packets the detect threads have scanned.
>
>
> decoder.pkts | RxPcapeth01 | 9683
> decoder.bytes | RxPcapeth01 | 6431276
> decoder.ipv4 | RxPcapeth01 | 9683
> decoder.ipv6 | RxPcapeth01 | 0
> decoder.ethernet | RxPcapeth01 | 9683
> decoder.raw | RxPcapeth01 | 0
> decoder.sll | RxPcapeth01 | 0
> decoder.tcp | RxPcapeth01 | 5746
> decoder.udp | RxPcapeth01 | 369
> decoder.sctp | RxPcapeth01 | 0
> decoder.icmpv4 | RxPcapeth01 | 0
> decoder.icmpv6 | RxPcapeth01 | 0
> decoder.ppp | RxPcapeth01 | 0
> decoder.pppoe | RxPcapeth01 | 0
> decoder.gre | RxPcapeth01 | 0
> decoder.vlan | RxPcapeth01 | 0
> decoder.teredo | RxPcapeth01 | 0
> decoder.ipv4_in_ipv6 | RxPcapeth01 | 0
> decoder.ipv6_in_ipv6 | RxPcapeth01 | 0
> decoder.avg_pkt_size | RxPcapeth01 | 664
> decoder.max_pkt_size | RxPcapeth01 | 1482
>
> You can see how many were scanned on a per thread basis in the stats.log-
> decoder.udp | RxPcapeth01 | 369
>
>
> thanks
>
>
> >
> > Thanks
> >
> >
> > On Sun, Jun 30, 2013 at 11:26 PM, Peter Manev <petermanev at gmail.com>
> wrote:
> >>
> >> Hi,
> >>
> >> On Mon, Jul 1, 2013 at 3:25 AM, Theodore Elhourani
> >> <theodore.elhourani at gmail.com> wrote:
> >> > Hi,
> >> >
> >> > I am trying to retrieve the number of packets/traffic size the detect
> >> > threads scanned in a given run. For UDP-only traffic, the stats.log
> file
> >> > does not contain any stats.
> >>
> >> Just to clarify - you have enabled the stats.log configuration in
> >> suricata.yaml and after doing a run there are no statistics written?
> >> (or you mean there are not enough statistics for UDP in particular)
> >>
> >> Thanks
> >>
> >> >Is there an alternative method for gathering
> >> > stats, specifically on the performance of the detect threads?
> >> >
> >> > Thank you
> >> > Ted
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> > OISF: http://www.openinfosecfoundation.org/
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Peter Manev
> >
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130704/bf2abbe8/attachment-0002.html>
More information about the Oisf-users
mailing list