[Snort-devel] Snort processes more packets than in pcap?

Todd Wease twease at ...402...
Mon Dec 14 09:14:32 EST 2009


The total count includes packets off the wire as well as reassembled 
packets.  The extra packet is probably a stream reassembled one.

On 12/14/2009 09:03 AM, danjobkeule wrote:
> Hi, i'm using snort-2.8.3.1. Here is the link to the pcap:
>
> http://uploaded.to/file/la8d4t
>
> Danjobkeule
>
>
>> Hi,
>> what's snort version you use please?
>> maybe send pcap to list ?
>> Regards
>> Rmkml
>> Crusoe-Researches.com
>>
>>
>> On Wed, 9 Dec 2009, danjobkeule wrote:
>>
>>> dear community,
>>>
>>> i am wondering about snort processing 3 packets, although in the pcap i
>>> feed snort with are just 2 packets (both are SMB packets).
>>> How can that be? I assume that some preprocessors "generate" a new
>>> packet, but could anybody give an explanation for that?
>>>
>>>
>>>
>>>
>>> ===============================================================================
>>>
>>>
>>> Snort processed 3
>>> packets.
>>> ===============================================================================
>>>
>>>
>>> Breakdown by protocol (includes rebuilt
>>> packets):
>>> ETH: 3
>>> (100.000%)
>>> ETHdisc: 0
>>> (0.000%)
>>> VLAN: 0
>>> (0.000%)
>>> IPV6: 0
>>> (0.000%)
>>> IP6 EXT: 0
>>> (0.000%)
>>> IP6opts: 0
>>> (0.000%)
>>> IP6disc: 0
>>> (0.000%)
>>> IP4: 3
>>> (100.000%)
>>> IP4disc: 0
>>> (0.000%)
>>> TCP 6: 0
>>> (0.000%)
>>> UDP 6: 0
>>> (0.000%)
>>> ICMP6: 0
>>> (0.000%)
>>> ICMP-IP: 0
>>> (0.000%)
>>> TCP: 2
>>> (66.667%)
>>> UDP: 0
>>> (0.000%)
>>> ICMP: 0
>>> (0.000%)
>>> TCPdisc: 0
>>> (0.000%)
>>> UDPdisc: 0
>>> (0.000%)
>>> ICMPdis: 0
>>> (0.000%)
>>> FRAG: 0
>>> (0.000%)
>>> FRAG 6: 0
>>> (0.000%)
>>> ARP: 0
>>> (0.000%)
>>> EAPOL: 0
>>> (0.000%)
>>> ETHLOOP: 0
>>> (0.000%)
>>> IPX: 0
>>> (0.000%)
>>> OTHER: 0
>>> (0.000%)
>>> DISCARD: 0
>>> (0.000%)
>>> InvChkSum: 0
>>> (0.000%)
>>> S5 G 1: 0
>>> (0.000%)
>>> S5 G 2: 1
>>> (33.333%)
>>> Total:
>>> 3
>>> ===============================================================================
>>>
>>>
>>> Action
>>> Stats:
>>>
>>> ALERTS:
>>> 1
>>>
>>> LOGGED:
>>> 1
>>>
>>> PASSED:
>>> 0
>>>
>>> ===============================================================================
>>>
>>> Stream5 statistics:
>>> Total sessions: 1
>>> TCP sessions: 1
>>> UDP sessions: 0
>>> ICMP sessions: 0
>>> TCP Prunes: 0
>>> UDP Prunes: 0
>>> ICMP Prunes: 0
>>> TCP StreamTrackers Created: 1
>>> TCP StreamTrackers Deleted: 1
>>> TCP Timeouts: 0
>>> TCP Overlaps: 0
>>> TCP Segments Queued: 1
>>> TCP Segments Released: 1
>>> TCP Rebuilt Packets: 1
>>> TCP Segments Used: 1
>>> TCP Discards: 0
>>> UDP Sessions Created: 0
>>> UDP Sessions Deleted: 0
>>> UDP Timeouts: 0
>>> UDP Discards: 0
>>> Events: 0
>>> ===============================================================================
>>>
>>> HTTP Inspect - encodings (Note: stream-reassembled packets included):
>>> POST methods: 0
>>> GET methods: 0
>>> Headers extracted: 0
>>> Header Cookies extracted: 0
>>> Post parameters extracted: 0
>>> Unicode: 0
>>> Double unicode: 0
>>> Non-ASCII representable: 0
>>> Base 36: 0
>>> Directory traversals: 0
>>> Extra slashes ("//"): 0
>>> Self-referencing paths ("./"): 0
>>> Total packets processed: 3
>>> ===============================================================================
>>>
>>> ===============================================================================
>>>
>>> Snort exiting
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> Return on Information:
>>> Google Enterprise Search pays you back
>>> Get the facts.
>>> http://p.sf.net/sfu/google-dev2dev
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>
>
>
> ------------------------------------------------------------------------------
> Return on Information:
> Google Enterprise Search pays you back
> Get the facts.
> http://p.sf.net/sfu/google-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list