[Snort-devel] Add ether LOOPBACK stat on snort 233b14

rmkml rmkml at ...879...
Sun Apr 24 06:48:00 EDT 2005


Hi,

Im use snort 233 on my network,

I have 'OTHER' stat packets,

on analysing this packet, I found ethernet loopback packet (0x9000),

look my little patch for adding 'LOOP' stat packets (and reduce 'OTHER' 
stat packets).


On my network, I don't have 'DISCARD' stat packet,
but after this patch, I don't know why 'DISCARD' is more than zero !

Regards

Rmkml at ...879...

Change src/util.c :
                          + pc.ipx
                          + pc.eapol
                          + pc.ipv6
         +                + pc.loop
                          + pc.other
                          + pc.discards
                          + pc.rebuild_element
...
                      pc.ipv6, CalcPct((float) pc.ipv6, recv));
              LogMessage("    IPX: %-10lu (%.3f%%)\n",
                      pc.ipx, CalcPct((float) pc.ipx, recv));
         +    LogMessage("   LOOP: %-10lu (%.3f%%)\n",
         +            pc.loop, CalcPct((float) pc.loop, recv));
              LogMessage("  OTHER: %-10lu (%.3f%%)\n",
                      pc.other, CalcPct((float) pc.other, recv));
              LogMessage("DISCARD: %-10lu (%.3f%%)\n",

Change src/decode.c :
                              (cap_len - ETHERNET_HEADER_LEN));
                      return;

         +        case ETHERNET_TYPE_LOOP:
         +            DecodeLOOP(p->pkt + ETHERNET_HEADER_LEN,
         +                    (cap_len - ETHERNET_HEADER_LEN));
         +            return;
         +
                  case ETHERNET_TYPE_8021Q:
                      DecodeVlan(p->pkt + ETHERNET_HEADER_LEN,
                              cap_len - ETHERNET_HEADER_LEN, p);
...
          {
              DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IPv6 is not 
supported.\n"););
              pc.ipv6++;
         +    return;
         +}
         +
         +
         +/*
         + * Function: DecodeLOOP(u_int8_t *, u_int32_t)
         + *
         + * Purpose: Just like IPX, it's just for counting.
         + *
         + * Arguments: pkt => ptr to the packet data
         + *            len => length from here to the end of the packet
         + *
         + * Returns: void function
         + */
         +void DecodeLOOP(u_int8_t *pkt, u_int32_t len)
         +{
         +    DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Loop is not 
supported.\n"););
         +    pc.loop++;
              return;
          }

Change src/snort.h :
              u_long arp;
              u_long eapol;
              u_long ipv6;
         +    u_long loop;
              u_long ipx;
              u_long discards;
              u_long alert_pkts;




More information about the Snort-devel mailing list