[Snort-devel] preprocessor oddity

Chris Green cmg at ...81...
Thu Jan 4 14:59:54 EST 2001


I'm playing with spp_ today and this is what my toy function is at the
moment is:

void PreprocFlowstat(Packet *p)
{
    if(p->iph == NULL) return;
    if(p->iph->ip_proto != IPPROTO_TCP) return;

    if(p->dp == 21) {
	fprintf(stderr, "FTP Traffic %s -> %s Dsize: %d\n",
		inet_ntoa(p->iph->ip_src),
		inet_ntoa(p->iph->ip_dst),
		p->dsize);
    }
}

The trouble I get is

FTP Traffic SRC -> SRC Dsize: 0
FTP Traffic SRC -> SRC Dsize: 0
FTP Traffic SRC -> SRC Dsize: 0
FTP Traffic SRC -> SRC Dsize: 0

Where SRC is the source ip. At first, I thought I might have a weird
broken pcap on linux so I then went to openbsd and had the same
behavior.

I am ftping from the machine I am running snort on to the machine
running the ftpd.  If I use the -v switch, the ips are written out
correctly in the dump but not in my preproc function.
-- 
Chris Green <cmg at ...81...>




More information about the Snort-devel mailing list