Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] 100% Outstanding - what does that mean?

1 view
Skip to first unread message

Bryan Arenal

unread,
Aug 9, 2010, 11:04:50 AM8/9/10
to
I just set up a new sensor and when checking its performance
statistics, I am seeing a couple of the interfaces with Outstanding at
100%. Here's the output from one of the interfaces:

Aug 9 06:56:54 spock snort[1536]:
===============================================================================
Aug 9 06:56:54 spock snort[1536]: Packet I/O Totals:
Aug 9 06:56:54 spock snort[1536]: Received: 202781012
Aug 9 06:56:54 spock snort[1536]: Analyzed: 0 ( 0.000%)
Aug 9 06:56:54 spock snort[1536]: Dropped: 0 ( 0.000%)
Aug 9 06:56:54 spock snort[1536]: Filtered: 0 ( 0.000%)
Aug 9 06:56:54 spock snort[1536]: Outstanding: 202781012 (100.000%)
Aug 9 06:56:54 spock snort[1536]: Injected: 0
Aug 9 06:56:54 spock snort[1536]:
===============================================================================

What exactly does that mean? A google search shows a February email
from Matt Watchinski saying, "Outstanding means that packets never got
out of the ethernet card before they got dropped. IE pcap didn't get
to them before they disappeared." But the README.counts in the 2.9.0
beta documentation says "Outstanding indicates how many packets are
buffered awaiting processing." So I suppose I'm a bit confused. If
they're buffered, pcap has gotten to them, correct? Can I see why
100% of them are buffered and not processing?

Regards,

Bryan

------------------------------------------------------------------------------
This SF.net email is sponsored by

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Justin Heath

unread,
Aug 9, 2010, 11:16:43 AM8/9/10
to
That means that it's really, really good. In fact, you could say that
it's outstanding! :)

Martin Roesch

unread,
Aug 9, 2010, 12:10:48 PM8/9/10
to
That's exactly what I was thinking... ;)

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

Bryan Arenal

unread,
Aug 9, 2010, 4:47:54 PM8/9/10
to
On Mon, Aug 9, 2010 at 09:14, Russ Combs <rco...@sourcefire.com> wrote:
>
>
> On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.ar...@gmail.com> wrote:
>>
>> I just set up a new sensor and when checking its performance
>> statistics, I am seeing a couple of the interfaces with Outstanding at
>> 100%.  Here's the output from one of the interfaces:
>>
>> Aug  9 06:56:54 spock snort[1536]:
>>
>> ===============================================================================
>> Aug  9 06:56:54 spock snort[1536]: Packet I/O Totals:
>> Aug  9 06:56:54 spock snort[1536]:    Received:    202781012
>> Aug  9 06:56:54 spock snort[1536]:    Analyzed:            0 (  0.000%)
>> Aug  9 06:56:54 spock snort[1536]:     Dropped:            0 (  0.000%)
>> Aug  9 06:56:54 spock snort[1536]:    Filtered:            0 (  0.000%)
>> Aug  9 06:56:54 spock snort[1536]: Outstanding:    202781012 (100.000%)
>> Aug  9 06:56:54 spock snort[1536]:    Injected:            0
>> Aug  9 06:56:54 spock snort[1536]:
>>
>> ===============================================================================
>>
>> What exactly does that mean?  A google search shows a February email
>> from Matt Watchinski saying, "Outstanding means that packets never got
>> out of the ethernet card before they got dropped.  IE pcap didn't get
>> to them before they disappeared."  But the README.counts in the 2.9.0
>> beta documentation says "Outstanding indicates how many packets are
>> buffered awaiting processing."  So I suppose I'm a bit confused.  If
>> they're buffered, pcap has gotten to them, correct?  Can I see why
>> 100% of them are buffered and not processing?
>
> The DAQ changes things up a little with 2.9.0.  Which DAQ are you using and
> how is it configured?

That was actually a test box and I haven't done any additional
configuration to DAQ but I do see the same thing on one of my other
machines that's running 2.8.6.1. And CPU utilization on that snort
process is near 0%.

Aug 9 11:23:33 spock snort[13693]:
===============================================================================
Aug 9 11:23:33 spock snort[13693]: Packet Wire Totals:
Aug 9 11:23:33 spock snort[13693]: Received: 149221835
Aug 9 11:23:33 spock snort[13693]: Analyzed: 0 (0.000%)
Aug 9 11:23:33 spock snort[13693]: Dropped: 2338 (0.002%)
Aug 9 11:23:33 spock snort[13693]: Outstanding: 149219497 (99.998%)
Aug 9 11:23:33 spock snort[13693]:
===============================================================================

But other processes running on other interfaces are reporting normal
stats. Looks like it's just regular HTTP traffic and not a whole lot
at that.

And thanks for the humor Justin and Marty! :-)

Bryan Arenal

unread,
Aug 9, 2010, 5:25:14 PM8/9/10
to
On Mon, Aug 9, 2010 at 14:59, Russ Combs <rco...@sourcefire.com> wrote:
> Can you send the snort command line and any DAQ config daq_*  or config
> bpf_* stuff from your conf?
>
> Also, please confirm that all your protocol breakdown counts are zero.
>
> If you can reproduce this without a conf, you should see something like this
> at start up:
>
> $ sudo ./snort ip6
> Running in packet dump mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> Snort BPF option: ip6
> pcap DAQ configured to passive.
> Acquiring network traffic from "eth0".
> Decoding Ethernet
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.0 IPv6 GRE (Build 48)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2010 Sourcefire, Inc., et al.
>            Using libpcap version 1.1.1
>            Using PCRE version: 6.6 06-Feb-2006
>            Using ZLIB version: 1.2.3
>
> Can you send the equivalent?

Russ,

Thanks for the reply. Yes, I've confirmed all proto breakdown counts
are zero and here's the output you've requested:

# snort

,,_ -*> Snort! <*-
o" )~ Version 2.8.6.1 IPv6 (Build 39)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2010 Sourcefire, Inc., et al.
Using PCRE version: 6.6 06-Feb-2006
Using ZLIB version: 1.2.3

snort 13693 0.6 2.2 342212 231472 ? Rs 04:02 6:37
/usr/sbin/snort -A fast -b -d -D -i eth4 -u snort -g snort -c
/etc/snort/snort.conf -l /var/log/snort/eth4 -F /etc/snort/bpf_file

# cat /etc/snort/bpf_file
(vlan &&
(not host 172.16.234.34) &&
(not host 172.16.234.35) &&
(not host 172.16.234.36) &&
(not host 172.16.234.37) &&
(not host 192.168.41.49) &&
(not host 192.168.41.52) &&
(not host 192.168.41.25) &&
(not host 192.168.41.28)

0 new messages