[Snort-devel] Checksums

Alberto Dainotti alberto at ...68...
Wed Oct 25 18:02:11 EDT 2000


Hello, I started to implement checksums in snort some days ago, 
I used simple code in practice identical  to that which you can find in
libnet or in Stevens examples, it seems that compiling it with -O3 makes
it very fast and I didn't find anything faster (gcc does a hell of
work). 
I also tried the asm86 routines in the linux kernel but strangely they
seem slower (!?) ..  may be I'm missing something doing my performance
tests.. btw how do you test how much time it takes a routine instead of
another one?

I thought code should go in the decoding engine too .. right after
the "IP header truncated" and "Not IPv4 datagram" tests, discarding
the packet in case of a test failure.
I don't send you a patch now 'cause all the code is a mess, I was
waiting before posting a message about it, but here below I've cut and
pasted the function:

u_short
do_cksum(u_short *addr, int nbytes)
{
	long sum;
	u_short oddbyte;

	sum = 0;
	while (nbytes > 1) {
		sum += *addr++;
		nbytes -= 2;
	}
	if (nbytes == 1) {
		oddbyte=0;
		*(u_char *)(&oddbyte) = *(u_char *)addr;
		sum += oddbyte;
	}

	sum  = (sum >> 16) + (sum & 0xffff);	/* add high-16 to low-16 */
	sum += (sum >> 16);			/* add carry */
	return (~sum);
}


Greets,
				Alberto.
 

On Wed, 25 Oct 2000, Christopher Cramer wrote:

> 
> Marty,
> 
> I think the fastest code may be along the lines of the portable BSD
> checksum code.  Since it is under the BSD license, we could probably snipe
> it, cite it and hack it to work better with Snort.  If that makes you
> uncomfortable (it makes me a little uneasy), I can take the _principles_
> used for their fast portable code and implement it myself.
> 
> For the Packet struct, we might consider a u_short variable (or u_char)
> which is the OR-ing of flags representing checksum errors in IP, TCP, UDP,
> etc.
> 
> This way, an optimization would be to have some plugins bail if the
> checksum variable != 0, improving speed.  However, a stats plugin might
> record the number of checksum errors of different types.
> 
> -Chris
> 
> 




More information about the Snort-devel mailing list