[Snort-devel] [PATCH]: bad calculation of the amount of drop.

Hi,

It seems that Snort has a bug preventing the calculation of the correct amount of dropped packet. This bug make snort report ~50% of dropped packet when there are in fact ~99% of drop.

In order to compute the amount of dropped packet, snort use the statistics provided by pcap throught the pcap_stat structure.

This structure contain two field:

• ps_recv is the total amount of packet received, _including DROP_.
• ps_drop is the amount of packet dropped by the kernel.

The correct way to gather the number of analyzed packet is to substract ps_drop from ps_recv. Adding a simple packet counter to snort will provide you with the proof that the correct way to calculate the percentage of DROP is to use ps_recv - ps_drop.

Also the following comment in the pcap source code describe this behavior, from pcap-bpf.c (the same kind of comment is present in pcap-linux.c) :

 /*

• "ps_recv" counts packets handed to the filter, not packets
• that passed the filter. This includes packets later dropped
• because we ran out of buffer space.
  *
  
• "ps_drop" counts packets dropped inside the BPF device
• because we ran out of buffer space. It doesn't count
• packets dropped by the interface driver. It counts
• only packets that passed the filter.
  *
  
• Both statistics include packets not yet read from the kernel
• by libpcap, and thus not yet seen by the application.
  */
  

The same kind of comment is present in pcap-linux.c

Current code in Snort, enabling the calculation of the amount of drop is in util.c :

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

LogMessage("Snort analyzed %d out of %d packets, ",

           ps.ps_recv, ps.ps_recv+ps.ps_drop);

As ps_recv already contain the amount of drop, the line of code in question should more look like :

LogMessage("Snort analyzed %d out of %d packets, ",

           ps.ps_recv - ps.ps_drop, ps.ps_recv);

Then the following offending line of code :

LogMessage("dropping %d(%.3f%%) packets\n\n",

           ps.ps_drop, 
           CalcPct( (float) ps.ps_drop, (float) (ps.ps_recv+ps.ps_drop)

That should be corrected to :

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

LogMessage("dropping %d(%.3f%%) packets\n\n",

           ps.ps_drop, 
           CalcPct( (float) ps.ps_drop, (float) ps.ps_recv ));

Also, the per-protocol breakdown should probably be fixed to be computed against the amount of received packet, and not the amount of packet received + the number of DROP (the patch doesn't fix this, and keep the current behavior).

-- 
Yoann Vandoorselaere 

------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel