[Snort-devel] weird problem: snort cannot see tcp packets

Burak DAYIOGLU dayioglu at ...287...
Fri May 4 09:39:46 EDT 2001


hello,
I am trying to run snort with two home built plugins on
linux in a high-volume 100mbps ethernet environment.

Interestingly, although I can see a flood of tcp packets
flowing around with tcpdump, snort cannot see (and therefore
examine) any tcp packets. After running it a few seconds and
stopping it, I see something like the below:


Snort received 1105 packets and dropped 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 0          (0.000%)          ALERTS: 0         
    UDP: 280        (25.339%)         LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 277        (25.068%)
   IPv6: 0          (0.000%)
    IPX: 250        (22.624%)
  OTHER: 298        (26.968%)
DISCARD: 0          (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
===============================================================================
TCP Stream Reassembly Stats:
   TCP Packets Used:      0          (0.000%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 0         
===============================================================================


I am running 1.8B4Build15 on linux. If I don't give any
configuration file and run it in verbose mode, I can see
TCP packet flow in snort as well. When using the snort.conf,
I am using tcp-stream2 preprocessor for session reconstruction.
Disabling it doesn't help.

any thoughts?




More information about the Snort-devel mailing list