--- /dev/null
+Statistics
+==========
+
+The stats.log produces statistics records on a fixed interval, by
+default every 8 seconds.
+
+stats.log file
+--------------
+
+::
+
+ -------------------------------------------------------------------
+ Counter | TM Name | Value
+ -------------------------------------------------------------------
+ flow_mgr.closed_pruned | FlowManagerThread | 154033
+ flow_mgr.new_pruned | FlowManagerThread | 67800
+ flow_mgr.est_pruned | FlowManagerThread | 100921
+ flow.memuse | FlowManagerThread | 6557568
+ flow.spare | FlowManagerThread | 10002
+ flow.emerg_mode_entered | FlowManagerThread | 0
+ flow.emerg_mode_over | FlowManagerThread | 0
+ decoder.pkts | RxPcapem21 | 450001754
+ decoder.bytes | RxPcapem21 | 409520714250
+ decoder.ipv4 | RxPcapem21 | 449584047
+ decoder.ipv6 | RxPcapem21 | 9212
+ decoder.ethernet | RxPcapem21 | 450001754
+ decoder.raw | RxPcapem21 | 0
+ decoder.sll | RxPcapem21 | 0
+ decoder.tcp | RxPcapem21 | 448124337
+ decoder.udp | RxPcapem21 | 542040
+ decoder.sctp | RxPcapem21 | 0
+ decoder.icmpv4 | RxPcapem21 | 82292
+ decoder.icmpv6 | RxPcapem21 | 9164
+ decoder.ppp | RxPcapem21 | 0
+ decoder.pppoe | RxPcapem21 | 0
+ decoder.gre | RxPcapem21 | 0
+ decoder.vlan | RxPcapem21 | 0
+ decoder.avg_pkt_size | RxPcapem21 | 910
+ decoder.max_pkt_size | RxPcapem21 | 1514
+ defrag.ipv4.fragments | RxPcapem21 | 4
+ defrag.ipv4.reassembled | RxPcapem21 | 1
+ defrag.ipv4.timeouts | RxPcapem21 | 0
+ defrag.ipv6.fragments | RxPcapem21 | 0
+ defrag.ipv6.reassembled | RxPcapem21 | 0
+ defrag.ipv6.timeouts | RxPcapem21 | 0
+ tcp.sessions | Detect | 41184
+ tcp.ssn_memcap_drop | Detect | 0
+ tcp.pseudo | Detect | 2087
+ tcp.invalid_checksum | Detect | 8358
+ tcp.no_flow | Detect | 0
+ tcp.reused_ssn | Detect | 11
+ tcp.memuse | Detect | 36175872
+ tcp.syn | Detect | 85902
+ tcp.synack | Detect | 83385
+ tcp.rst | Detect | 84326
+ tcp.segment_memcap_drop | Detect | 0
+ tcp.stream_depth_reached | Detect | 109
+ tcp.reassembly_memuse | Detect | 67755264
+ tcp.reassembly_gap | Detect | 789
+ detect.alert | Detect | 14721
+
+Detecting packet loss
+~~~~~~~~~~~~~~~~~~~~~
+
+At shut down, Suricata reports the packet loss statistics it gets from
+pcap, pfring or afpacket
+
+::
+
+ [18088] 30/5/2012 -- 07:39:18 - (RxPcapem21) Packets 451595939, bytes 410869083410
+ [18088] 30/5/2012 -- 07:39:18 - (RxPcapem21) Pcap Total:451674222 Recv:451596129 Drop:78093 (0.0%).
+
+Usually, this is not the complete story though. These are kernel drop
+stats, but the NIC may also have dropped packets. Use ethtool to get
+to those:
+
+::
+
+ # ethtool -S em2
+ NIC statistics:
+ rx_packets: 35430208463
+ tx_packets: 216072
+ rx_bytes: 32454370137414
+ tx_bytes: 53624450
+ rx_broadcast: 17424355
+ tx_broadcast: 133508
+ rx_multicast: 5332175
+ tx_multicast: 82564
+ rx_errors: 47
+ tx_errors: 0
+ tx_dropped: 0
+ multicast: 5332175
+ collisions: 0
+ rx_length_errors: 0
+ rx_over_errors: 0
+ rx_crc_errors: 51
+ rx_frame_errors: 0
+ rx_no_buffer_count: 0
+ rx_missed_errors: 0
+ tx_aborted_errors: 0
+ tx_carrier_errors: 0
+ tx_fifo_errors: 0
+ tx_heartbeat_errors: 0
+ tx_window_errors: 0
+ tx_abort_late_coll: 0
+ tx_deferred_ok: 0
+ tx_single_coll_ok: 0
+ tx_multi_coll_ok: 0
+ tx_timeout_count: 0
+ tx_restart_queue: 0
+ rx_long_length_errors: 0
+ rx_short_length_errors: 0
+ rx_align_errors: 0
+ tx_tcp_seg_good: 0
+ tx_tcp_seg_failed: 0
+ rx_flow_control_xon: 0
+ rx_flow_control_xoff: 0
+ tx_flow_control_xon: 0
+ tx_flow_control_xoff: 0
+ rx_long_byte_count: 32454370137414
+ rx_csum_offload_good: 35270755306
+ rx_csum_offload_errors: 65076
+ alloc_rx_buff_failed: 0
+ tx_smbus: 0
+ rx_smbus: 0
+ dropped_smbus: 0
+
+Kernel drops
+------------
+
+stats.log contains interesting information in the
+capture.kernel_packets and capture.kernel_drops. The meaning of them
+is different following the capture mode.
+
+In AF_PACKET mode:
+
+* kernel_packets is the number of packets correctly sent to userspace
+* kernel_drops is the number of packets that have been discarded instead of being sent to userspace
+
+In PF_RING mode:
+
+* kernel_packets is the total number of packets seen by pf_ring
+* kernel_drops is the number of packets that have been discarded instead of being sent to userspace
+
+In the Suricata stats.log the TCP data gap counter is also an
+indicator, as it accounts missing data packets in TCP streams:
+
+::
+
+ tcp.reassembly_gap | Detect | 789
+
+Ideally, this number is 0. Not only pkt loss affects it though, also
+bad checksums and stream engine running out of memory.
+
+Tools to plot graphs
+--------------------
+
+Some people made nice tools to plot graphs of the statistics file.
+
+* `ipython and matplotlib script <https://github.com/regit/suri-stats>`_
+* `Monitoring with Zabbix or other <http://christophe.vandeplas.com/2013/11/suricata-monitoring-with-zabbix-or-other.html>`_ and `Code on Github <https://github.com/cvandeplas/suricata_stats>`_
projects / thirdparty / suricata.git / commitdiff
