{"id":13530161,"url":"https://github.com/regit/suri-stats","last_synced_at":"2025-03-26T14:32:20.802Z","repository":{"id":4146509,"uuid":"5260288","full_name":"regit/suri-stats","owner":"regit","description":"A tools to work on suricata stats.log file.","archived":false,"fork":false,"pushed_at":"2015-10-14T16:07:33.000Z","size":332,"stargazers_count":28,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-21T23:33:58.581Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/regit.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2012-08-01T14:29:19.000Z","updated_at":"2024-12-25T08:47:19.000Z","dependencies_parsed_at":"2022-07-20T07:32:11.513Z","dependency_job_id":null,"html_url":"https://github.com/regit/suri-stats","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/regit%2Fsuri-stats","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/regit%2Fsuri-stats/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/regit%2Fsuri-stats/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/regit%2Fsuri-stats/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/regit","download_url":"https://codeload.github.com/regit/suri-stats/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245670939,"owners_count":20653455,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T07:00:44.901Z","updated_at":"2025-03-26T14:32:20.451Z","avatar_url":"https://github.com/regit.png","language":"Python","funding_links":[],"categories":["Operations, Monitoring and Troubleshooting"],"sub_categories":[],"readme":"Suri-stats\n==========\n\nIntroduction\n------------\n\nsuri-stats is a small script based on ipython and matplotlib. It enables you to\nload a suricata stats.log file and/or JSON EVE file. Once this is done, it is\npossible to graph performance indicators.\n\n.. image:: https://raw.githubusercontent.com/regit/suri-stats/master/doc/correl.png\n    :alt: Correlation of performance counters in Suricata\n    :align: center\n\nInstallation\n------------\n\nYou can simply run ::\n\n ./setup.py install\n\nUsage\n-----\n\nFor a complete usage message, run ::\n\n suri-stats -h\n\nInteractive usage\n~~~~~~~~~~~~~~~~~\n\nLet's assume we've got a stats.log in /tmp/. Being in the suri-stats directory, one\ncan run ::\n\n  suri-stats\n\nYou will be given a shell.\n\nFirst thing to do is to create on Stats object ::\n\n  In [1]: ST=Stats(\"long run\")\n  In [2]: ST.load_file(\"/tmp/stats.log\")\n\nTo load a JSON file ::\n\n  In [1]: ST=Stats(\"modern run\")\n  In [2]: ST.load_json_file(\"/tmp/stats.json\")\n\nThis can take some time if the file is big.\n\nYou can also directly work on a file by running ::\n\n  suri-stats /tmp/stats.log\n\nor for a JSON file ::\n\n  suri-stats -e /tmp/stats.log\n\nThe ST object will be created automatically.\n\nNow, it is possible to list the retrieve counters ::\n\n  In [3]: ST.list_counters()\n  Out[3]: \n  ['decoder.udp',\n   'decoder.avg_pkt_size',\n   'tcp.memuse',\n   'tcp.segment_memcap_drop',\n   'defrag.ipv6.fragments',\n   'decoder.sctp',\n   'tcp.reassembly_gap',\n   ...\n   'decoder.pppoe',\n   'capture.kernel_drops',\n   'tcp.synack',\n   'flow_mgr.closed_pruned',\n   'decoder.ipv6',\n   'decoder.pkts',\n   'decoder.ipv4',\n   'tcp.reassembly_memuse',\n   'capture.kernel_packets']\n\nAnd you can now graph the value you want, successive call to plot will result in adding the graph on the output ::\n\n  In [4]: ST.plot('tcp.reassembly_memuse')\n  In [5]: ST.plot('capture.kernel_drops')\n  \nYou can even save the file in a file ::\n\n  In [6]: savefig(\"correl.png\")\n\nIn fact, you can use any function of matplotlib.\n\nHandling stats file with multiple runs\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nIf your statistics file contains the log for multiple suricata runs, you\nwill be able to access to the different runs by using the .runs array of\nthe Stats object. Each element of the array is one Stats object with the\nfirst element being the initial Stats object itself.\n\nFor example, to display the kernel drop for the two first runs ::\n\n In \u003c10\u003e: print ST.runs[1].plot('capture.kernel_drops')\n In \u003c11\u003e: print ST.runs[0].plot('capture.kernel_drops')\n\nCommand line operation\n~~~~~~~~~~~~~~~~~~~~~~\n\nIt is possible to output stats on a file ::\n\n  suri-stats -s -c decoder.pkts,decoder.ipv4,decoder.ipv6 -S  stats.log -v\n  Created ST object for run 'Run'\n  Loading stats.log file 'stats-short.log'\n  Key:Min:Mean:Max:Std\n  decoder.ipv4:1261291.582492:1313827.987111:1427241.263158:23698.509236\n  decoder.ipv6:2357.928211:2685.328384:4111.746809:210.005908\n  decoder.pkts:1257964.710665:1311786.272049:1423458.157895:24212.591057\n\nIt is also possible to directly plot the result ::\n\n  suri-stats -p -c decoder.pkts,decoder.ipv4,decoder.ipv6 -S -o /tmp/out.png stats.log\n\nYou can also output the result other formats by changing the output extension. For\nexample to have a PDF output ::\n\n  suri-stats -p -c decoder.pkts,decoder.ipv4,decoder.ipv6 -S -o /tmp/out.pdf stats.log\n\nIf your file contains multiple run, you can use `-r` flag to select it (count starting\nat 0).\n\nThe plot function\n-----------------\n\nThe stats are merged by default. But it is possible display on graph per-thread ::\n\n  In [7]: ST.plot(\"detect.alert\", merge=False)\n\nIt is also possible to plot for one single thread ::\n\n  In [8]: ST.plot('tcp.sessions', 'AFPacketeth310')\n\nTo get the list of threads you can use ::\n\n  In [9]: ST.list_threads('tcp.sessions')\n\nTo start a new graph, you can use the clf() function or close the graph window.\n\nTo graph speed instead of raw data, you can use ::\n\n  In [10]: ST.plot('tcp.sessions', speed=True)\n\nTo graph normalized data instead of raw data, you can use ::\n\n  In [11]: ST.plot('capture.kernel_drops', normalized=True)\n  In [12]: ST.plot('decoder.tcp', normalized=True)\n\nThis will allow you to graph data with different scales on the same graph as\nboth data are normalized.\n\n\nExporting data to graphite\n--------------------------\n\nsuri-stats provide a script named 'suri-graphite' which can be used to sent suricata\nperformance counters to a Graphite server. suri-graphite connect to Suricata unix\nsocket and dump counters at a regular interval (suricata 1.4.1 or git necessary) and\nit sends this data to the Graphite server specified by -H flag.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fregit%2Fsuri-stats","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fregit%2Fsuri-stats","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fregit%2Fsuri-stats/lists"}