| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] 100% Outstanding - what does that mean?
From: Bryan Arenal <b.arenal_at_nospam>Date: Mon Aug 09 2010 - 20:47:54 GMT
To: Russ Combs <rcombs@sourcefire.com>
On Mon, Aug 9, 2010 at 09:14, Russ Combs <rcombs@sourcefire.com> wrote:
>
>
> On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenal@gmail.com> wrote:
>>
>> I just set up a new sensor and when checking its performance
>> statistics, I am seeing a couple of the interfaces with Outstanding at
>> 100%. Here's the output from one of the interfaces:
>>
>> Aug 9 06:56:54 spock snort[1536]:
>>
>> ===============================================================================
>> Aug 9 06:56:54 spock snort[1536]: Packet I/O Totals:
>> Aug 9 06:56:54 spock snort[1536]: Received: 202781012
>> Aug 9 06:56:54 spock snort[1536]: Analyzed: 0 ( 0.000%)
>> Aug 9 06:56:54 spock snort[1536]: Dropped: 0 ( 0.000%)
>> Aug 9 06:56:54 spock snort[1536]: Filtered: 0 ( 0.000%)
>> Aug 9 06:56:54 spock snort[1536]: Outstanding: 202781012 (100.000%)
>> Aug 9 06:56:54 spock snort[1536]: Injected: 0
>> Aug 9 06:56:54 spock snort[1536]:
>>
>> ===============================================================================
>>
>> What exactly does that mean? A google search shows a February email
>> from Matt Watchinski saying, "Outstanding means that packets never got
>> out of the ethernet card before they got dropped. IE pcap didn't get
>> to them before they disappeared." But the README.counts in the 2.9.0
>> beta documentation says "Outstanding indicates how many packets are
>> buffered awaiting processing." So I suppose I'm a bit confused. If
>> they're buffered, pcap has gotten to them, correct? Can I see why
>> 100% of them are buffered and not processing?
>
> The DAQ changes things up a little with 2.9.0. Which DAQ are you using and
> how is it configured?
That was actually a test box and I haven't done any additional
configuration to DAQ but I do see the same thing on one of my other
machines that's running 2.8.6.1. And CPU utilization on that snort
process is near 0%.
Aug 9 11:23:33 spock snort[13693]:
===============================================================================
Aug 9 11:23:33 spock snort[13693]: Packet Wire Totals:
Aug 9 11:23:33 spock snort[13693]: Received: 149221835
Aug 9 11:23:33 spock snort[13693]: Analyzed: 0 (0.000%)
Aug 9 11:23:33 spock snort[13693]: Dropped: 2338 (0.002%)
Aug 9 11:23:33 spock snort[13693]: Outstanding: 149219497 (99.998%)
Aug 9 11:23:33 spock snort[13693]:
===============================================================================
But other processes running on other interfaces are reporting normal
stats. Looks like it's just regular HTTP traffic and not a whole lot
at that.
And thanks for the humor Justin and Marty! :-)
Regards,
Bryan
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users