[Snort-devel] spo_alert_unixsock is broken, patch attached

Stephen J. Sadowski stephen.j.sadowski at ...2927...
Wed Mar 14 09:53:24 EDT 2007


On Tue, 2007-03-13 at 17:43 +0100, Dirk Geschke wrote:
> BTW: Does anyone understand this definition:
> 
> /* IRIX 6.2 hack! */
> #ifndef IRIX
>     #define SNAPLEN         1514
> #else
>     #define SNAPLEN         1500
> #endif
> 
> I think for ethernet it should be 1514 regardless which OS, normally
> 14 bytes are the size of the MAC header... (Ok, 1518 would be more 
> precisely but the last 4 bytes are only an end marker.)

On IRIX, libpcap won't set the snapshot length to more than 1514 bytes -
I think this is for managing that peculiarity internal to snort rather
than passing it off to libpcap to handle.

I haven't dug too much, and don't know if this is exactly the right
answer, but it's my best guess.

-Stephen






More information about the Snort-devel mailing list