Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Output Modules Up: Preprocessor Profiling Previous: Examples   Contents

Output

Snort will print a table much like the following at exit.

Figure: Preprocessor Profiling Example Output
\begin{figure}\footnotesize { \begin{verbatim}Preprocessor Profile Statistics ... ... total total 0 1018323 1018323 550830338 540.9 0.0\end{verbatim} }\end{figure}

Configuration line used to print the above table: config profile_rules: print 3, sort total_ticks

The columns represent:

  • Number (rank) - The number is indented for each layer. Layer 1 preprocessors are listed under their respective caller (and sorted similarly).
  • Preprocessor Name
  • Layer - When printing a specific number of preprocessors all subtasks info for a particular preprocessor is printed for each layer 0 preprocessor stat.
  • Checks (number of times preprocessor decided to look at a packet, ports matched, app layer header was correct, etc)
  • Exits (number of corresponding exits - just to verify code is instrumented correctly, should ALWAYS match Checks, unless an exception was trapped)
  • CPU Ticks
  • Avg Ticks per Check
  • Percent of caller - For non layer 0 preprocessors, i.e. subroutines within preprocessors, this identifies the percent of the caller's ticks that is spent for this subtask.

Because of task swapping, non-instrumented code, and other factors, the Pct of Caller field will not add up to 100% of the caller's time. It does give a reasonable indication of how much relative time is spent within each subtask.

next up previous contents
Next: Output Modules Up: Preprocessor Profiling Previous: Examples   Contents
Steven Sturges 2007-10-04
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.