[Snort-devel] perfmon pp and libpcap-0.9.5 (LINUX)

Steven Sturges steve.sturges at ...402...
Thu Jun 21 11:54:01 EDT 2007


Thanks, Benjamin.

Does anyone know specifically when the change occured -- what
version of pcap was the last to use the old (0.8.3) style?

This sounds like a good candidate to go into the FAQ.
We can look into adding changes to perfmon and DropStats()
(in util.c if necessary) to do the correct thing based on the
pcap version.

Cheers.
-steve

Benjamin Small wrote:
> Hello,
> 
> I wanted to make the community aware of a discovery I made
> In libpcap 0.9.5 vs libpcap 0.8.3 and how it effects the perfmonitor
> preprocessor. In the newer version, pcap_stats keeps a running
> count of packets received and dropped. I briefly did a look over and
> I think I have found the reason.
> 
> The relevant lines are in pcap-linux.c:
> 
> - libpcap-0.8.3
> 852:handle->md.stat.ps_recv = kstats.tp_packets;
> 853:handle->md.stat.ps_drop = kstats.tp_drops;
> 
> - libpcap-0.9.5
> 721:handle->md.stat.ps_recv += kstats.tp_packets;
> 722:handle->md.stat.ps_drop += kstats.tp_drops;
> 
> This behavior seems to effect the perfmonitor preprocessor, causing
> counts to never reset, only accumulate. The perfmonitor preprocessor uses
> these counts to either add or "reset" its own count to the numbers of these
> variables. If I get time, I'll write a patch (as well as delve further into
> confirming this, specifically, is the problem). I identified this as the
> problem
> from research starting in GetPktDropStats in perf-base.c
> 
> Regards,
> Benjamin
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list