[Snort-devel] spp_stream4.c complains of bad build_data.total_size

William Barber wbarber at ...86...
Thu Jun 20 14:01:07 EDT 2002

Hi Folks,

I'm attempting to use snort stream4 assembly, and then pass 
the assembled packets to another preprocessor, which I wrote,
which "exports" the packets to some separate packeting-processing

It does not look to me as if snort is successfully assembling
things into the relatively large packets I expect, but I'm not 
sure how to interpret the debug msgs.  I get the same behavior
running snort versions 1.8.6, 1.8.7beta6, and snort-stable as 
of the afternoon of Monday 6/17 (line numbers below relate to
that latest version).

I'm testing by running snort against a tcpdump file created by 
downloading a couple of large web pages (over a dial-up line).  

In DropStats(), snort tells me that it reconstructed 12 packets, 
but in each case, the debug log shows the msg:

spp_stream4.c:3289: stream_size(758) != bd.total_size(67), that's bad, m'kay?
spp_stream4.c:3289: stream_size(1282) != bd.total_size(22), that's bad, m'kay?
spp_stream4.c:3289: stream_size(776) != bd.total_size(67), that's bad, m'kay?
spp_stream4.c:3289: stream_size(1220) != bd.total_size(90), that's bad, m'kay?
spp_stream4.c:3289: stream_size(2206) != bd.total_size(67), that's bad, m'kay?
spp_stream4.c:3289: stream_size(771) != bd.total_size(67), that's bad, m'kay?
spp_stream4.c:3289: stream_size(770) != bd.total_size(67), that's bad, m'kay?
spp_stream4.c:3289: stream_size(10442) != bd.total_size(84), that's bad, m'kay?
spp_stream4.c:3289: stream_size(18913) != bd.total_size(77), that's bad, m'kay?
spp_stream4.c:3289: stream_size(30649) != bd.total_size(24), that's bad, m'kay?
spp_stream4.c:3289: stream_size(24909) != bd.total_size(36), that's bad, m'kay?
spp_stream4.c:3289: stream_size(31369) != bd.total_size(12), that's bad, m'kay?

These occur after the TraverseFunc() call:

  /* walk the packet tree (in order) and rebuild the app layer data */
  (void)ubi_trTraverse(s->dataPtr, TraverseFunc, &bd);

The 'application data' dumped from each of these is all zeroes.

The DropStats() data looks like:


Snort processed 637 packets.
Breakdown by protocol:                Action Stats:

    TCP: 637        (100.000%)         ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0

TCP Stream Reassembly Stats:
   TCP Packets Used:      345        (54.160%)
   Reconstructed Packets: 12         (1.884%)
   Streams Reconstructed: 23

(There were 292 "Bad TCP checksum" msgs, which seems to account for the 
rest of the 637 total packets.)

My test snort config file looks like:

  var HOME_NET any
  var EXTERNAL_NET any
  preprocessor frag2: timeout 6000, memcap 67108864
  preprocessor stream4: timeout 6000, memcap 67108864, keepstats
  preprocessor stream4_reassemble: both, ports all

I can provide a lot more information (including the tcpdump file, and
details of how I'm calling snort functions), but I'm not sure what would 
be the most helpful at this point.

Thanks for any help, Bill Barber

More information about the Snort-devel mailing list