Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Looooots of "Outstanding" and "Analyzed" packets - cou

from [Andreas Maus] Network Security [Permanent Link]
Subject: Re: [Snort-users] Looooots of "Outstanding" and "Analyzed" packets - counter wrap ?
Date: Thu, 23 Nov 2006 19:34:18 +0100 
Hi.

I was asked (off-list) to provide some additional informations,
esp. the packet counters from the OS.

debian3164m:~# netstat -ni 
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500 0    413593      0      0      0  287444      0      0      0 ABMRU
lo    16436 0     78789      0      0      0   78789      0      0      0 LRU

[... several hours later ...]
debian3164m:~# netstat -ni ; pkill snort
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500 0    424152      0      0      0  289605      0      0      0 ABMRU
lo    16436 0     84348      0      0      0   84348      0      0      0 LRU

I am snorting on eth0 (non promiscous). So after 12720 packets
(10559 receiving and 2161 transmitting) I killed snort
and as packet statistics it gave:
Snort ran for 0 Days 12 Hours 10 Minutes 16 Seconds
Packet analysis time averages:

Snort Analyzed 30 Packets Per Hour
Snort Analyzed 0 Packets Per Minute
Snort Analyzed 0 Packets Per Second

Snort received 367 packets
Analyzed: 12715(3464.577%)
Dropped: 0(0.000%)
Outstanding: 4294954948(5026360781529153536.000%)
===============================================================================
Breakdown by protocol:
TCP: 3799 (29.878%)
UDP: 736 (5.788%)
ICMP: 189 (1.486%)
ARP: 7991 (62.847%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
FRAG: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
===============================================================================
Action Stats:
ALERTS: 20
LOGGED: 20
PASSED: 0
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 3799 (29.878%)
Stream Trackers: 164
Stream flushes: 619
Segments used: 1395
Segments Queued: 1397
Stream4 Memory Faults: 0
===============================================================================
Snort exiting

This weird number also occur if I request this statistics via SIGUSR1.
And again I will get a reasonable number of outstanding (whats are
outstanding packets ?) if I subtract the snorts number of outstanding
packets from 2^32 (2**32 - 4294954948 = 12348).

Any hints/clues ?

Thanks,

Andreas.

P.S.: Of course I will try the fresh and shiny new snort released
yesterday.


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] problem with snort 2.6.1.1 (stop working), Julio E. Gonzalez P.
Next by Date:  Re: [Snort-users] Looooots of "Outstanding" and "Analyzed" packets - counter wrap ?, Harry Hoffman
Previous by Thread:  [Snort-users] Looooots of "Outstanding" and "Analyzed" packets - counter wrap ?, Andreas Maus
Next by Thread:  Re: [Snort-users] Looooots of "Outstanding" and "Analyzed" packets - counter wrap ?, Harry Hoffman
Indexes:  [Date] [Thread] [Top] [All Lists]