|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Martin Roesch (roesch
sourcefire.com)
Date: Mon Aug 09 2010 - 11:10:48 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That's exactly what I was thinking... ;)
On Mon, Aug 9, 2010 at 11:16 AM, Justin Heath <justin.heathgmail.com> wrote:
> That means that it's really, really good. In fact, you could say that
> it's outstanding! :)
>
> On Mon, Aug 9, 2010 at 11:04 AM, Bryan Arenal <b.arenalgmail.com> wrote:
>> I just set up a new sensor and when checking its performance
>> statistics, I am seeing a couple of the interfaces with Outstanding at
>> 100%. Here's the output from one of the interfaces:
>>
>> Aug 9 06:56:54 spock snort[1536]:
>> ===============================================================================
>> Aug 9 06:56:54 spock snort[1536]: Packet I/O Totals:
>> Aug 9 06:56:54 spock snort[1536]: Received: 202781012
>> Aug 9 06:56:54 spock snort[1536]: Analyzed: 0 ( 0.000%)
>> Aug 9 06:56:54 spock snort[1536]: Dropped: 0 ( 0.000%)
>> Aug 9 06:56:54 spock snort[1536]: Filtered: 0 ( 0.000%)
>> Aug 9 06:56:54 spock snort[1536]: Outstanding: 202781012 (100.000%)
>> Aug 9 06:56:54 spock snort[1536]: Injected: 0
>> Aug 9 06:56:54 spock snort[1536]:
>> ===============================================================================
>>
>> What exactly does that mean? A google search shows a February email
>> from Matt Watchinski saying, "Outstanding means that packets never got
>> out of the ethernet card before they got dropped. IE pcap didn't get
>> to them before they disappeared." But the README.counts in the 2.9.0
>> beta documentation says "Outstanding indicates how many packets are
>> buffered awaiting processing." So I suppose I'm a bit confused. If
>> they're buffered, pcap has gotten to them, correct? Can I see why
>> 100% of them are buffered and not processing?
>>
>> Regards,
>>
>> Bryan
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by
>>
>> Make an app they can't live without
>> Enter the BlackBerry Developer Challenge
>> http://p.sf.net/sfu/RIM-dev2dev
>> _______________________________________________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]