[Snort-devel] Timer in the flows preprocessor

Jay Beale jay at ...2665...
Thu Nov 11 14:21:02 EST 2004


Raymond Pun wrote:
> Hi,
> 
> There is a parameter for the flow preprocessor that tells the inteveral 
> for reporting statistic. How the flow preprocessor output to screen 
> periodically? Is it using somekind of timer? I am not able to find it in 
> the code. Could someone please point it to me?

Well, the interval is set to the default in  FlowInit() and then set to
the value written in the config file, if any, by  FlowParseArgs().  They
store this in the s_config struct's stats_interval variable.

In FlowPreprocessor(), this is used by this code:

 /* printout some verbose statistics */
    if(s_config.stats_interval  &&
       ((last_output + s_config.stats_interval) <= p->pkth->ts.tv_sec))
    {
        last_output =  p->pkth->ts.tv_sec;

        if(!pv.quiet_flag)
            flowcache_stats(stdout, fcache);
    }

The code here checks if this packet came in stats_interval or more
seconds since the time of the last output.  If it has, it sets
last_output to the time of the current packet and calls
flowcache_stats() to print statistics.

That function is in the flow_cache.c code in the preprocessor/flow
directory, which might be confusing you.  The flow and HttpInspect
preprocessors get their own directories for most of their code, as its
broken up into a number of files.

 - Jay




More information about the Snort-devel mailing list