|Main Archive Page > Month Archives > snort-users archives|
I'm currently running snortsp beta 3 on a link with very high traffic
(500-600mbits/s) and I have noticed something strange concerning the
packet drop statistics.
We currently run the perfmonitor preprocessor with the following config: preprocessor perfmonitor: time 600 file /opt/snort/log/current/snort.stats pktcnt 100000
When looking at its output, it always report 0.000 packet drop ratio
However, when I query directly the snortsp engine with eng.stats("e1") in the LUA shell for example, I get the following:
[*] ACTIVE data source s1 received 153960354 packets on eth2
Analyzed: 70274715 (45.645%)
Dropped: 83685639 (54.355%)
Idle Cycles: 70274660
[-] Ethernet Stats:
Do you see any reason why these two methods would report different numbers? Is the preprocessor printing another drop ratio than the engine?
Also, we have another snort instance running on a production server
(deamon mode), and we would like to check the output of the eng.stats()
command. According to the documentation, it is possible to use the snortsp_tool to interface directly with snortsp through a kernel socket. It works fine to issue commands to snort, but we are unable to redirect it's output back to us. There is not much documentation on snortsp_tool out there, so maybe there is an easy way to do that?
Thanks in advance for your expertise !