|
|
|
|
Snort Forums Archive
Archive Home » General Chat » Snort Challenge - Measuring packet loss
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Snort Challenge - Measuring packet loss
Posted by brevizniak on December 04, 2005 16:52:42
What are some of the methods you can use to measure packet drops? |
|
Posted by adidas30 on January 06, 2006 04:39:45
I find it is the best way to give you accurate statistics based on how you normally run snort without any extra load produced by the prefmon plug-in.
1) Run a ps -ef |grep snort
2) Copy the command that was used to run snort in daemon mode. For ex: /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort -Do
3) Stop the snort daemon from running.
4) Run the same command but without the -D flag. For ex: /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort -o
4) Wait 5 min, an hour, a day, etc. then interrupt the process. (Remember to start snort in daemon mode again)
5) Then I view the output snort sent to sdout and look at the packets section.
Ex.Snort received 139 packets
Analyzed: 139(100.000%)
Dropped: 0(0.000%)
|
|
Posted by brevizniak on January 06, 2006 14:13:08
This requires you to stop snort and restart it manually. How can you continously monitor for dropped packets without having to restart snort.
There are at least of 3 accurate yet different answers to this question. |
|
Posted by kens on January 06, 2006 14:34:20
Determine the Snort Process ID.
# ps -ef | grep snort
Once you have this value you can use it to issue the following kill command which won't actually kill the Snort process but will tell Snort to dump its performance statistics.
# kill -USR1 "Snort Process ID" |
|
|
|
|
|
