[Snort-devel] spp_stream4.c complains of bad build_data.total_size

Chris Green cmg at ...402...
Fri Jun 21 07:03:03 EDT 2002


William Barber <wbarber at ...86...> writes:

> Hi Folks,
>
> I'm attempting to use snort stream4 assembly, and then pass 
> the assembled packets to another preprocessor, which I wrote,
> which "exports" the packets to some separate packeting-processing
> software.
>
> I can provide a lot more information (including the tcpdump file, and
> details of how I'm calling snort functions), but I'm not sure what would 
> be the most helpful at this point.

Could you send me a copy of the packets you're seeing?  That's usually
the easiest way to tell whats going on.  There are a handful of people
on the planet those debug messages make sense to :)

Would you perhaps only be seeing half of the packets ( via an ethernet
tap or asynchronus link ).

Since you are only interested in rebuilt packets, I would write a
preprocessor that throws away everything that fails
(p->packet_flags & PKT_REBUILT_STREAM)

Cheers,
Chris
-- 
Chris Green <cmg at ...402...>
A good pun is its own reword.




More information about the Snort-devel mailing list