[Snort-devel] Checksums

Martin Roesch roesch at ...48...
Wed Oct 25 21:52:10 EDT 2000


The asm86 routines probably won't be as interesting to us as something that is
fast and portable (i.e. C). :)

Maybe you and Chris should work together?

    -Marty

Alberto Dainotti wrote:
> 
> Hello, I started to implement checksums in snort some days ago,
> I used simple code in practice identical  to that which you can find in
> libnet or in Stevens examples, it seems that compiling it with -O3 makes
> it very fast and I didn't find anything faster (gcc does a hell of
> work).
> I also tried the asm86 routines in the linux kernel but strangely they
> seem slower (!?) ..  may be I'm missing something doing my performance
> tests.. btw how do you test how much time it takes a routine instead of
> another one?
> 
> I thought code should go in the decoding engine too .. right after
> the "IP header truncated" and "Not IPv4 datagram" tests, discarding
> the packet in case of a test failure.
> I don't send you a patch now 'cause all the code is a mess, I was
> waiting before posting a message about it, but here below I've cut and
> pasted the function:
> 
> u_short
> do_cksum(u_short *addr, int nbytes)
> {
>         long sum;
>         u_short oddbyte;
> 
>         sum = 0;
>         while (nbytes > 1) {
>                 sum += *addr++;
>                 nbytes -= 2;
>         }
>         if (nbytes == 1) {
>                 oddbyte=0;
>                 *(u_char *)(&oddbyte) = *(u_char *)addr;
>                 sum += oddbyte;
>         }
> 
>         sum  = (sum >> 16) + (sum & 0xffff);    /* add high-16 to low-16 */
>         sum += (sum >> 16);                     /* add carry */
>         return (~sum);
> }
> 
> Greets,
>                                 Alberto.
> 
> 
> On Wed, 25 Oct 2000, Christopher Cramer wrote:
> 
> >
> > Marty,
> >
> > I think the fastest code may be along the lines of the portable BSD
> > checksum code.  Since it is under the BSD license, we could probably snipe
> > it, cite it and hack it to work better with Snort.  If that makes you
> > uncomfortable (it makes me a little uneasy), I can take the _principles_
> > used for their fast portable code and implement it myself.
> >
> > For the Packet struct, we might consider a u_short variable (or u_char)
> > which is the OR-ing of flags representing checksum errors in IP, TCP, UDP,
> > etc.
> >
> > This way, an optimization would be to have some plugins bail if the
> > checksum variable != 0, improving speed.  However, a stats plugin might
> > record the number of checksum errors of different types.
> >
> > -Chris
> >
> >

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org



More information about the Snort-devel mailing list