[Snort-devel] Running pthread enabled snort?

Dirk Geschke dirk at ...972...
Sat Nov 24 02:46:02 EST 2001


> Well, if you noticed in the code, I placed the lock just at the point
> where the data is coming from libpcap, and during my testings I still
> had _very_ funky results. You were mentioned that with the statif fix
> which you posted, you managed to get things working which actually
> surprised me :-)

With the Gnu Pth I got it compiled without errors and it was running
blind. So I switched back to the Linuxthreads. The I played around 
with the error message I got during the compile.

To get it run you have to put the initializing of the struct pt_lock
at the beginning of main(). Without the static declaration you get
a parse error within the initialization.

If I understand it correct than the reason lies in the struct array
of pt_lock: pthread_mutex_t

With the static declaration you tell the compiler to reserve the space
for the struct in memory. The intialization with these values results
in warnings like:

snort.c:68: warning: type defaults to `int' in declaration of `pt_lock'
snort.c:68: warning: excess elements in scalar initializer
snort.c:68: warning: (near initialization for `pt_lock')
snort.c:68: warning: unused variable `pt_lock'

(Indeed if you look in the declarations of PTHREAD_MUTEX_INITIALIZER
you find a lot of "undeclared" values). 

The result is a unused variable which has a reserved memory part on
the stack...

However it seems to work with one interface... I just tested it with
a second one. But then I get no alerts on the second interface and 
the statics show very strange results:

Snort analyzed 14 out of 14 packets, dropping 0(0.000%) packets

Breakdown by protocol:                Action Stats:
    TCP: 14         (100.000%)         ALERTS: 3         
    UDP: 0          (0.000%)          LOGGED: 3         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
DISCARD: 271        (1935.714%)

In short: It works but the results of the second interface are

> > The problem is: If you want to mirror complete traffic you need two
> > sniffing ethernet cards. One card for the traffic from host A -> B
> > and one for the reverse direction B -> A. In full duplex mode both
> > direction can send at maximum speed. So to catch all data you need
> > two ethernet cards.
> Hmmm.. dodgy.. why wouldn't it work over a single wire to a switch/hug
> or something?

Okay, with a switch you have to copy the traffic to a monitor port. In
full duplex mode both sides of a connection are allowed to send and
receive simultanously with the full speed. With 100BASE-TX each box
can send with 100 Mb/s. This of course results in traffic of 200 Mb/s.
(yes, it is a maximum value which will seldom happen in real life but
it should explain the problem...)

Thus the whole traffic can only be sniffed with two ethernet cards
or you have to throttle down the connection. The last point is what
a switch will do. (With real traffic this should not be a problem
at all. I suspect the whole traffic will be less than 100Mb/s.)

With a shomiti tap the sniffing process should be completely invisible
and you have no chance to throttle down the traffic. (How should you
do this without leaving traces? With a read only device you can't 
tell the other devices to throttle down...)

Best regards

| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |

More information about the Snort-devel mailing list