cpw at ...86...
Wed Nov 29 13:45:21 EST 2000
This segment of code might give some linux snort users a false sense of
assurance about packet loss.
if( ps.ps_recv )
LogMessage(" and dropped %d(%.3f%%) packets\n\n", ps.ps_drop, CalcPct(drop, recv));
However, I don't know what to do about it. In my case, the kernel provides
a drop count.
pcap-linux.c: p->md.stat.ps_drop = tps.tp_drops;
And, it appears that the other drivers in the lbl libpcap source
have access to drop counts.
pcap-bpf.c: ps->ps_drop = s.bs_drop;
pcap-dlpi.c: p->md.stat.ps_drop += sbp->sbh_drops;
pcap-nit.c: p->md.stat.ps_drop = nh->nh_dropped;
pcap-pf.c: ps->ps_drop = p->md.TotDrops;
pcap-snit.c: p->md.stat.ps_drop = ndp->nh_drops;
pcap-snoop.c: p->md.stat.ps_drop =
What if both ps.ps_recv and ps.ps_drop were tested:
if( ps.ps_recv && ps.ps_drop )
so at least snort would not erroneously report 0 dropped packets.
Just a suggestion. No action on this item is perfectly acceptable.
More information about the Snort-devel