[Snort-devel] Statistics strangeness on Linux

Erik de Castro Lopo erikd+snort at ...2292...
Mon Jan 5 21:02:01 EST 2004


On Mon, 22 Dec 2003 11:25:10 +1100
Erik de Castro Lopo <erikd+snort at ...2292...> wrote:

> Hi all,
> 
> I'm playing around with Snort (2.05 and now 2.10) on Linux 2.4. Running 
> it in fast alert mode:
> 
>    /usr/local/bin/snort -b -A fast -c /usr/local/etc/snort.conf
> 
> and then sending it a SIGUSR1, I can get some pretty odd results in the
> statistcs, the worst of which was this:
> 
>     Snort analyzed 17 out of 17 packets, dropping 0(0.000%) packets
> 	
>     Breakdown by protocol:                Action Stats:
>         TCP: 41196582   (242332848.000%)         ALERTS: 0
>         UDP: 321        (1888.235%)         LOGGED: 0

I have submitted a patch for libpcap that fixes the above weirdness:

   http://cvs.tcpdump.org/cgi-bin/cvsweb/libpcap/pcap-linux.c

The problem was a result of Linux having slightly different behaviour 
to FreeBSD when retrieving packet statistics from their respective
kernels.

Erik
-- 
------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo at ...2292...
[W] http://www.sensorynetworks.com
[T] +61 2 83022726 
[F] +61 2 94750316 
[A] L4/140 William St, East Sydney NSW 2011, Australia
------------------------------------------------------




More information about the Snort-devel mailing list