[Snort-devel] perfmon pp and libpcap-0.9.5 (LINUX)

Benjamin Small benjamin.small83 at ...2499...
Tue Jun 19 14:48:07 EDT 2007


I wanted to make the community aware of a discovery I made
In libpcap 0.9.5 vs libpcap 0.8.3 and how it effects the perfmonitor
preprocessor. In the newer version, pcap_stats keeps a running
count of packets received and dropped. I briefly did a look over and
I think I have found the reason.

The relevant lines are in pcap-linux.c:

- libpcap-0.8.3
852:handle->md.stat.ps_recv = kstats.tp_packets;
853:handle->md.stat.ps_drop = kstats.tp_drops;

- libpcap-0.9.5
721:handle->md.stat.ps_recv += kstats.tp_packets;
722:handle->md.stat.ps_drop += kstats.tp_drops;

This behavior seems to effect the perfmonitor preprocessor, causing
counts to never reset, only accumulate. The perfmonitor preprocessor uses
these counts to either add or "reset" its own count to the numbers of these
variables. If I get time, I'll write a patch (as well as delve further into
confirming this, specifically, is the problem). I identified this as the
from research starting in GetPktDropStats in perf-base.c

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20070619/96fd133a/attachment.html>

More information about the Snort-devel mailing list