[Snort-devel] Question regarding Flowbits

Steven Sturges steve.sturges at ...402...
Fri May 30 16:31:28 EDT 2008


Its all alloc'd together, just the structure only references a single
byte.  When the buffer for the Stream (or Flow) is allocated as a hash
table entry, its allocated as the entire structure plus the space for
the flowbits.  The structure includes the 1st byte in StreamFlowData,
but the size alloc'd includes enough space for storage of all possible
flow bits.

That's a reasonably common thing to do when an array size is not known
at compile time, so long as the variable size field of the structure
is declared at the end.

Adayadil Thomas wrote:
> Is there a reason for having 1 byte in FLOWDATA structure and the rest
> allocated through hash table ?
> 
> Thanks
> 
> On Fri, May 30, 2008 at 2:49 PM, Steven Sturges
> <steve.sturges at ...402...> wrote:
>> There is a value giFlowbitSize that is configurable.  That is the
>> size (in bytes) of the allocated space, either in Stream or in Flow
>> preprocessor.
>>
>> The StreamFlowData strucuture has a single byte reference that is
>> the 1st byte of the flowbit storage, yet the data that gets alloc'd
>> is usually larger.
>>
>> Cheers.
>> -steve
>>
>> Adayadil Thomas wrote:
>>> Greetings.
>>>
>>> I am looking through the source code of snort 2.8.1 and I am trying to
>>> understand
>>> the allocation for memory for flowbits data.
>>>
>>> If x bytes (x times 8 bits) are needed for flowbits data, how and
>>> where the memory
>>> is allocated? If you can specify the file/function that I am looking
>>> for that would be great.
>>>
>>> Thanks
>>> Aday
>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
> 




More information about the Snort-devel mailing list