Sniffer Buffer Usage Monitor domain
Inspection engine statistics. This topic describes the domain's entities and attributes.
Available to roles: none
Sniffer Buffer Usage Entity
The system creates this entity at the interval set by the store monitor buffer usage interval CLI command (every 60 seconds by default).
Attribute | Description |
---|---|
Timestamp | The time the data was collected. |
% CPU Sniffer | A normalized representation of sniffer CPU usage. For example, 50% sniffer usage on an 8-core appliance means that the sniffer is using 400% CPU (four cores).% CPU Sniffer can be used as a proxy to identify other problems, or to see if an appliance isn't at its "normal" values, indicating that something changed. For example, often if the sniffer CPU is high the analyzer queue would be higher, meaning the number of flat log requests is high. The number of flat log requests however is a more direct indicator. Higher sniffer CPU can also indicate a change in traffic volume or type. |
% Mem Sniffer | Percentage of memory that is used by the running sniffer process. |
% CPU Mysql | A normalized representation of the running MySQL CPU usage.% CPU Mysql can be used as a proxy to identify other problems, or to see if an appliance is not at its "normal" values, indicating something changed. For example, when % CPU Mysql is high the logger queue might be higher, meaning more chance of sniffer restarts. But checking for sniffer restarts is a more direct observation. % CPU Mysql can also be higher due to other non-sniffer processes running on the system like aggregation or audit processes. |
% Mem Mysql | The percentage of total system memory that is used by the MySQL database. Provides general background information. This value goes up or down depending on usage of the system. The exact value is not important unless a problem was identified. |
Sniffer Process ID | The sniffer process ID. The PID value in this column changes when the sniffer restarts. |
Mem Sniffer | Sniffer memory usage in kB. Sniffer memory usage is always greater than 0 when the sniffer is running. The memory usage increases as more data is held in the logger queue. Memory that is allocated to the sniffer is not released until the sniffer restarts. |
Time Sniffer | Elapsed time used by sniffer. |
Free Buffer Space | The percentage of free buffer space for the sniffer process. The sniffer buffer engine is only used in implementations that use SPAN ports, Network TAPs, or S-TAP PCAP. If the native S-TAP drivers are used, this value usually remains at 100%. |
Analyzer Rate | An approximate representation of the amount of data that is processed by the Analyzer/Parser per minute. The unit of data that is represented is an internal structure that is closely analogous to a packet. The maximum analyzer rate that a specific appliance can handle is a function of several variables, such as the appliance hardware, the type of data that is analyzed and parsed, and the type of rules that are used in the policy. Therefore, analyzer rate alone is not a good indicator of sniffer load, but it can be a good way to identify the busiest times of the day. The Analyzer Rate does not have a generic value that is problematic or a generic 'best practice' value. |
Logger Rate | A rough representation of the amount of data that is processed by the logger per minute. The units here represent the parsed components of the SQL traffic that is inserted into the appliance’s internal MySQL database. As with analyzer rate, the logger rate an appliance can handle depends on many factors, such as the appliance hardware, size of SQL statements that are logged, type of policy, and overall load on MySQL imposed by reports, and alerts. |
Analyzer Queue Length | Indicates the amount of data that is in the Analyzer/Parser buffer. This value is one of the most direct indicators of sniffer performance. Ideally, the value remains at, or close to, zero. The analyzer queue might grow temporarily during temporary periods of high traffic, but should never remain elevated for more than five or six rows (5 - 6 minutes) in the Buffer Usage Monitor report. The Analyzer/Parser buffer is circular. When the analyzer goes over 80% of queue full, it starts to drop data or put it into flat log, depending on the system configuration. For more information, see Flat log process. |
Analyzer Total | Total number of messages already analyzed. |
Logger Queue Length | The amount of SQL data that is in the logger buffer and waiting to be inserted into the collector’s database. Similar to the analyzer queue, a consistently high amount of data in the logger queue indicates that the appliance is unable to cope with the amount of traffic that is monitored. Temporary spikes in buffered data are normal, provided the buffer is flushed within several minutes. |
Logger Total | Total number of messages already logged. |
Session Queue Length | The total number of open sessions that are monitored by the sniffer. This information is important because sniffer must allocate a certain amount of memory for each session that is monitored, and it cannot monitor more than 4000 simultaneous sessions. |
Session Total | The overall number of sessions that were opened and closed since the last sniffer restart.Session total can be useful to correlate a spike with other statistics. |
Handler Data | Internal sniffing engine data. |
Extra information | Internal sniffing engine data. |
Analyzer Lost Packets | deprecated |
Eth0 Received | Messages received on the primary interface. |
Eth0 Sent | Messages sent on the primary interface. |
Logger Dbs Monitored | List of database types currently being monitored. |
Logger Packets Ignored by Rule | Packets ignored by policy rule action. |
Logger Session Count | Count of sessions logged. |
Mysql Disk Usage | The Current MySQL disk usage (percentage).High or increasing Mysql disk usage means that the appliance might be in danger of reaching or exceeding 90% full. At that point the sniffer automatically stops. |
Mysql Is Up | Boolean indicator for internal database restart (1=was restarted, 0=not restarted). |
Promiscuous Received | Rate of received packets through the sniffing network cards (non-interface ports). |
Sniffer Connections Ended | Total number of connections that were monitored and ended since the inspection engine was restarted. |
Sniffer Connections Used | Total number of connections currently being monitored since inspection engine was restarted. |
Sniffer Packets Dropped | Packets dropped by sniffer. |
Sniffer Packets Ignored | Packets ignored by sniffer. |
Sniffer Packets Throttled | Total number of connections that were ignored due to throttling since inspection engine was restarted. |
System Cpu Load | A normalized representation of total system CPU usage.System CPU load is derived from % CPU Sniffer and % CPU Mysql, plus other loads on the CPU. Since CPU load is derived from a few measurements, it does not indicate a specific problem. When higher than normal, it can indicate an underlying problem in many areas. |
System Memory Usage | System memory utilization. |
System Root Disk Usage | System Root disk utilization. |
System Uptime | Time since last start-up. |
System Var Disk Usage | The utilization of the /var partition. Most of files that are generated by the appliance are stored in /var. |
Sessions normal | Count of normal sessions. |
Sessions not opened | Count of sessions not opened by sniffer. |
Sessions timeout | Count of sessions timed-out. |
Sessions ignored | Count of sessions ignored by sniffer. |
Session Direct closed | Count of sessions directly closed. |
Session guessed | Count of sessions guessed. |
Open FDs | Open File Descriptors. |
DB Open FDs | Database open File Descriptors. |
Di Rate | Relevant for FAM crawler traffic or other traffic that is logged in the Di tables. |
Di Queue Length | Relevant for FAM crawler traffic or other traffic that is logged in the Di tables. |
Di Total | Relevant for FAM crawler traffic or other traffic that is logged in the Di tables. |
Di Lost Packets | Relevant for FAM crawler traffic or other traffic that is logged in the Di tables. |
Flat Log Requests | Number of requests that were flat logged. Flat log requests indicate that the sniffer is dropping packets. The sniffer usually drops packets due to an analyzer queue overflow problem caused by high traffic. Flat log requests do not increase in a system that is working correctly. If Flat log requests go over the threshold once it is a concern. Flat Log, when configured, takes the overflow from the buffer and stores it in a flat log, then inputs it later to the sniffer, with full analysis according to the policies. For more information, see Flat log process. |