[Snort-devel] Snort processes more packets than in pcap?

danjobkeule danjobkeule at ...1980...
Mon Dec 14 09:03:20 EST 2009


Hi, i'm using snort-2.8.3.1. Here is the link to the pcap:

http://uploaded.to/file/la8d4t

Danjobkeule


> Hi,
> what's snort version you use please?
> maybe send pcap to list ?
> Regards
> Rmkml
> Crusoe-Researches.com
>
>
> On Wed, 9 Dec 2009, danjobkeule wrote:
>
>> dear community,
>>
>> i am wondering about snort processing 3 packets, although in the pcap i
>> feed snort with are just 2 packets (both are SMB packets).
>> How can that be? I assume that some preprocessors "generate" a new
>> packet, but could anybody give an explanation for that?
>>
>>
>>
>>
>> =============================================================================== 
>>
>>
>> Snort processed 3
>> packets.
>> =============================================================================== 
>>
>>
>> Breakdown by protocol (includes rebuilt
>> packets):
>> ETH: 3
>> (100.000%)
>> ETHdisc: 0
>> (0.000%)
>> VLAN: 0
>> (0.000%)
>> IPV6: 0
>> (0.000%)
>> IP6 EXT: 0
>> (0.000%)
>> IP6opts: 0
>> (0.000%)
>> IP6disc: 0
>> (0.000%)
>> IP4: 3
>> (100.000%)
>> IP4disc: 0
>> (0.000%)
>> TCP 6: 0
>> (0.000%)
>> UDP 6: 0
>> (0.000%)
>> ICMP6: 0
>> (0.000%)
>> ICMP-IP: 0
>> (0.000%)
>> TCP: 2
>> (66.667%)
>> UDP: 0
>> (0.000%)
>> ICMP: 0
>> (0.000%)
>> TCPdisc: 0
>> (0.000%)
>> UDPdisc: 0
>> (0.000%)
>> ICMPdis: 0
>> (0.000%)
>> FRAG: 0
>> (0.000%)
>> FRAG 6: 0
>> (0.000%)
>> ARP: 0
>> (0.000%)
>> EAPOL: 0
>> (0.000%)
>> ETHLOOP: 0
>> (0.000%)
>> IPX: 0
>> (0.000%)
>> OTHER: 0
>> (0.000%)
>> DISCARD: 0
>> (0.000%)
>> InvChkSum: 0
>> (0.000%)
>> S5 G 1: 0
>> (0.000%)
>> S5 G 2: 1
>> (33.333%)
>> Total:
>> 3
>> =============================================================================== 
>>
>>
>> Action
>> Stats:
>>
>> ALERTS:
>> 1
>>
>> LOGGED:
>> 1
>>
>> PASSED:
>> 0
>>
>> =============================================================================== 
>>
>> Stream5 statistics:
>> Total sessions: 1
>> TCP sessions: 1
>> UDP sessions: 0
>> ICMP sessions: 0
>> TCP Prunes: 0
>> UDP Prunes: 0
>> ICMP Prunes: 0
>> TCP StreamTrackers Created: 1
>> TCP StreamTrackers Deleted: 1
>> TCP Timeouts: 0
>> TCP Overlaps: 0
>> TCP Segments Queued: 1
>> TCP Segments Released: 1
>> TCP Rebuilt Packets: 1
>> TCP Segments Used: 1
>> TCP Discards: 0
>> UDP Sessions Created: 0
>> UDP Sessions Deleted: 0
>> UDP Timeouts: 0
>> UDP Discards: 0
>> Events: 0
>> =============================================================================== 
>>
>> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>> POST methods: 0
>> GET methods: 0
>> Headers extracted: 0
>> Header Cookies extracted: 0
>> Post parameters extracted: 0
>> Unicode: 0
>> Double unicode: 0
>> Non-ASCII representable: 0
>> Base 36: 0
>> Directory traversals: 0
>> Extra slashes ("//"): 0
>> Self-referencing paths ("./"): 0
>> Total packets processed: 3
>> =============================================================================== 
>>
>> =============================================================================== 
>>
>> Snort exiting
>>
>> ------------------------------------------------------------------------------ 
>>
>> Return on Information:
>> Google Enterprise Search pays you back
>> Get the facts.
>> http://p.sf.net/sfu/google-dev2dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>





More information about the Snort-devel mailing list