[Snort-devel] weird problem: snort cannot see tcp packets
dayioglu at ...287...
Fri May 4 09:39:46 EDT 2001
I am trying to run snort with two home built plugins on
linux in a high-volume 100mbps ethernet environment.
Interestingly, although I can see a flood of tcp packets
flowing around with tcpdump, snort cannot see (and therefore
examine) any tcp packets. After running it a few seconds and
stopping it, I see something like the below:
Snort received 1105 packets and dropped 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 0 (0.000%) ALERTS: 0
UDP: 280 (25.339%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 277 (25.068%)
IPv6: 0 (0.000%)
IPX: 250 (22.624%)
OTHER: 298 (26.968%)
DISCARD: 0 (0.000%)
Fragmented IP Packets: 0 (0.000%)
Rebuilt IP Packets: 0
Frag elements used: 0
TCP Stream Reassembly Stats:
TCP Packets Used: 0 (0.000%)
Reconstructed Packets: 0 (0.000%)
Streams Reconstructed: 0
I am running 1.8B4Build15 on linux. If I don't give any
configuration file and run it in verbose mode, I can see
TCP packet flow in snort as well. When using the snort.conf,
I am using tcp-stream2 preprocessor for session reconstruction.
Disabling it doesn't help.
More information about the Snort-devel