Output

Next: Packet Performance Monitoring (PPM) Up: Preprocessor Profiling Previous: Examples Contents

Output

Snort will print a table much like the following at exit.

**Figure 2.2:** Preprocessor Profiling Example Output
$\begin{figure}\footnotesize { \begin{verbatim}Preprocessor Profile Statistics ... ...tal total 0 311202 311202 14011946 45.03 0.00 0.00\end{verbatim} }\end{figure}$

Configuration line used to print the above table:

    config profile_preprocs: \
        print 10, sort total_ticks

The columns represent:

Number (rank) - The number is indented for each layer. Layer 1 preprocessors are listed under their respective caller (and sorted similarly).
Preprocessor Name
Layer - When printing a specific number of preprocessors all subtasks info for a particular preprocessor is printed for each layer 0 preprocessor stat.
Checks (number of times preprocessor decided to look at a packet, ports matched, app layer header was correct, etc)
Exits (number of corresponding exits - just to verify code is instrumented correctly, should ALWAYS match Checks, unless an exception was trapped)
CPU Ticks
Avg Ticks per Check
Percent of caller - For non layer 0 preprocessors, i.e. subroutines within preprocessors, this identifies the percent of the caller's ticks that is spent for this subtask.

Because of task swapping, non-instrumented code, and other factors, the Pct of Caller field will not add up to 100% of the caller's time. It does give a reasonable indication of how much relative time is spent within each subtask.

By default, this information will be printed to the console when Snort exits. You can use the "filename" option in snort.conf to specify a file where this will be written. If "append" is not specified, a new file will be created each time Snort is run. The filenames will have timestamps appended to them. These files will be found in the logging directory.

Next: Packet Performance Monitoring (PPM) Up: Preprocessor Profiling Previous: Examples Contents

Eugene Misnik 2013-05-08