[Snort-devel] snort and /etc/protocols

Martin Roesch roesch at ...48...
Sat Feb 10 22:50:04 EST 2001


This is due to the InitProtoNames() function calling getprotobyname 256
times when loading the protocol table in snort.c.

    -Marty

Erek Adams wrote:
> 
> After doing a CVS grab, I had a few issues.  So I whip out the handy-dandy
> "Truss-o-Matic (tm)" to help me out.  I noticed something a bit odd when
> looking thru the truss output.  The section below repeats--256 times.
> 
> Anyone?
> 
> -----
> 
> /local/home/snort# grep -ic "/etc/protocols" /tmp/snorttruss
> 256
> 
> [...snipped truss output...]
> 
> open("/etc/protocols", O_RDONLY)                = 3
> fstat64(3, 0xEFFFF798)                          = 0
>     d=0x00800018 i=70535 m=0100444 l=1  u=0     g=3     sz=980
>         at = Jan 31 08:54:10 PST 2001  [ 980960050 ]
>         mt = Jan 29 09:53:36 PST 2000  [ 949168416 ]
>         ct = Jan 29 09:53:36 PST 2000  [ 949168416 ]
>     bsz=8192  blks=2     fs=ufs
> brk(0x0007FC70)                                 = 0
> brk(0x00081C70)                                 = 0
> ioctl(3, TCGETA, 0xEFFFF724)                    Err#25 ENOTTY
> read(3, 0x0007EF24, 8192)                       = 980
>    # i d e n t\t " @ ( # ) p r o t o c o l s\t 1 . 4\t 9 7 / 0 5 /
>    1 6   S M I "\t / *   S V r 4 . 0   1 . 1\t * /\n\n #\n #   I n
>    t e r n e t   ( I P )   p r o t o c o l s\n #\n i p\t\t 0\t I P
>   \t\t #   i n t e r n e t   p r o t o c o l ,   p s e u d o   p r
>    o t o c o l   n u m b e r\n i c m p\t\t 1\t I C M P\t\t #   i n
>    t e r n e t   c o n t r o l   m e s s a g e   p r o t o c o l\n
>    g g p\t\t 3\t G G P\t\t #   g a t e w a y - g a t e w a y   p r
>    o t o c o l\n t c p\t\t 6\t T C P\t\t #   t r a n s m i s s i o
>    n   c o n t r o l   p r o t o c o l\n e g p\t\t 8\t E G P\t\t #
>      e x t e r i o r   g a t e w a y   p r o t o c o l\n p u p\t\t
>    1 2\t P U P\t\t #   P A R C   u n i v e r s a l   p a c k e t
>    p r o t o c o l\n u d p\t\t 1 7\t U D P\t\t #   u s e r   d a t
>    a g r a m   p r o t o c o l\n h m p\t\t 2 0\t H M P\t\t #   h o
>    s t   m o n i t o r i n g   p r o t o c o l\n x n s - i d p\t\t
>    2 2\t X N S - I D P\t\t #   X e r o x   N S   I D P\n r d p\t\t
>    2 7\t R D P\t\t #   " r e l i a b l e   d a t a g r a m "   p r
>    o t o c o l\n\n #\n #   I n t e r n e t   ( I P v 6 )   e x t e
>    n s i o n   h e a d e r s\n #\n i p v 6\t\t 4 1\t I P v 6\t\t #
>      I P v 6   i n   I P   e n c a p s u l a t i o n\n i p v 6 - r
>    o u t e\t 4 3\t I P v 6 - R o u t e\t #   R o u t i n g   h e a
>    d e r   f o r   I P v 6\n i p v 6 - f r a g\t 4 4\t I P v 6 - F
>    r a g\t #   F r a g m e n t   h e a d e r   f o r   I P v 6\n e
>    s p\t\t 5 0\t E S P\t\t #   E n c a p   S e c u r i t y   P a y
>    l o a d   f o r   I P v 6\n a h\t\t 5 1\t A H\t\t #   A u t h e
>    n t i c a t i o n   H e a d e r   f o r   I P v 6\n i p v 6 - i
>    c m p\t 5 8\t I P v 6 - I C M P\t #   I P v 6   i n t e r n e t
>      c o n t r o l   m e s s a g e   p r o t o c o l\n i p v 6 - n
>    o n x t\t 5 9\t I P v 6 - N o N x t\t #   N o   n e x t   h e a
>    d e r   e x t e n s i o n   h e a d e r   f o r   I P v 6\n i p
>    v 6 - o p t s\t 6 0\t I P v 6 - O p t s\t #   D e s t i n a t i
>    o n   O p t i o n s   f o r   I P v 6\n
> llseek(3, 0xFFFFFFFFFFFFFCBA, SEEK_CUR)         = 142
> close(3)                                        = 0
> open("/etc/protocols", O_RDONLY)                = 3
> fstat64(3, 0xEFFFF798)                          = 0
>     d=0x00800018 i=70535 m=0100444 l=1  u=0     g=3     sz=980
>         at = Jan 31 08:57:17 PST 2001  [ 980960237 ]
>         mt = Jan 29 09:53:36 PST 2000  [ 949168416 ]
>         ct = Jan 29 09:53:36 PST 2000  [ 949168416 ]
>     bsz=8192  blks=2     fs=ufs
> ioctl(3, TCGETA, 0xEFFFF724)                    Err#25 ENOTTY
> read(3, 0x0007EF24, 8192)                       = 980
>    # i d e n t\t " @ ( # ) p r o t o c o l s\t 1 . 4\t 9 7 / 0 5 /
>    1 6   S M I "\t / *   S V r 4 . 0   1 . 1\t * /\n\n #\n #   I n
>    t e r n e t   ( I P )   p r o t o c o l s\n #\n i p\t\t 0\t I P
>   \t\t #   i n t e r n e t   p r o t o c o l ,   p s e u d o   p r
>    o t o c o l   n u m b e r\n i c m p\t\t 1\t I C M P\t\t #   i n
> 
> [...snipped truss output...]
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list