[Snort-devel] Add ether LOOPBACK stat on snort 233b14

rmkml rmkml at ...879...
Sun Apr 24 06:57:03 EDT 2005


and change src/decode.h :
 	 #define ETHERNET_TYPE_PPPoE_DISC      0x8863 /* discovery stage */
 	 #define ETHERNET_TYPE_PPPoE_SESS      0x8864 /* session stage */
 	 #define ETHERNET_TYPE_8021Q           0x8100
 	+#define ETHERNET_TYPE_LOOP            0x9000

 	 #define ETH_DSAP_SNA                  0x08    /* SNA */
 	 #define ETH_SSAP_SNA                  0x00    /* SNA */
...
 	 void DecodeEapol(u_int8_t *, u_int32_t, Packet *);
 	 void DecodeEapolKey(u_int8_t *, u_int32_t, Packet *);
 	 void DecodeIPV6(u_int8_t *, u_int32_t);
 	+void DecodeLOOP(u_int8_t *, u_int32_t);
 	 void DecodeIPX(u_int8_t *, u_int32_t);
 	 void DecodeTCP(u_int8_t *, const u_int32_t, Packet *);
 	 void DecodeUDP(u_int8_t *, const u_int32_t, Packet *);


On Sun, 24 Apr 2005, rmkml wrote:

> Date: Sun, 24 Apr 2005 15:48:28 +0200 (CEST)
> From: rmkml <rmkml at ...879...>
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Add ether LOOPBACK stat on snort 233b14
> 
> Hi,
>
> Im use snort 233 on my network,
>
> I have 'OTHER' stat packets,
>
> on analysing this packet, I found ethernet loopback packet (0x9000),
>
> look my little patch for adding 'LOOP' stat packets (and reduce 'OTHER' stat 
> packets).
>
>
> On my network, I don't have 'DISCARD' stat packet,
> but after this patch, I don't know why 'DISCARD' is more than zero !
>
> Regards
>
> Rmkml at ...879...
>
> Change src/util.c :
>                         + pc.ipx
>                         + pc.eapol
>                         + pc.ipv6
>        +                + pc.loop
>                         + pc.other
>                         + pc.discards
>                         + pc.rebuild_element
> ...
>                     pc.ipv6, CalcPct((float) pc.ipv6, recv));
>             LogMessage("    IPX: %-10lu (%.3f%%)\n",
>                     pc.ipx, CalcPct((float) pc.ipx, recv));
>        +    LogMessage("   LOOP: %-10lu (%.3f%%)\n",
>        +            pc.loop, CalcPct((float) pc.loop, recv));
>             LogMessage("  OTHER: %-10lu (%.3f%%)\n",
>                     pc.other, CalcPct((float) pc.other, recv));
>             LogMessage("DISCARD: %-10lu (%.3f%%)\n",
>
> Change src/decode.c :
>                             (cap_len - ETHERNET_HEADER_LEN));
>                     return;
>
>        +        case ETHERNET_TYPE_LOOP:
>        +            DecodeLOOP(p->pkt + ETHERNET_HEADER_LEN,
>        +                    (cap_len - ETHERNET_HEADER_LEN));
>        +            return;
>        +
>                 case ETHERNET_TYPE_8021Q:
>                     DecodeVlan(p->pkt + ETHERNET_HEADER_LEN,
>                             cap_len - ETHERNET_HEADER_LEN, p);
> ...
>         {
>             DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "IPv6 is not 
> supported.\n"););
>             pc.ipv6++;
>        +    return;
>        +}
>        +
>        +
>        +/*
>        + * Function: DecodeLOOP(u_int8_t *, u_int32_t)
>        + *
>        + * Purpose: Just like IPX, it's just for counting.
>        + *
>        + * Arguments: pkt => ptr to the packet data
>        + *            len => length from here to the end of the packet
>        + *
>        + * Returns: void function
>        + */
>        +void DecodeLOOP(u_int8_t *pkt, u_int32_t len)
>        +{
>        +    DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Loop is not 
> supported.\n"););
>        +    pc.loop++;
>             return;
>         }
>
> Change src/snort.h :
>             u_long arp;
>             u_long eapol;
>             u_long ipv6;
>        +    u_long loop;
>             u_long ipx;
>             u_long discards;
>             u_long alert_pkts;
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list