[Snort-devel] Snort processes more packets than in pcap?

Joel Esler jesler at ...402...
Mon Dec 14 09:18:30 EST 2009


I can't pull the pcap down right now, but I am thinking that, since it's
SMB, you have two packets in the pcap, which accounts for 2 of the 3, the
3rd is most likely the reassembled pseudo packet from the SMB stream.

J

On Mon, Dec 14, 2009 at 9:03 AM, danjobkeule <danjobkeule at ...1980...> wrote:

> Hi, i'm using snort-2.8.3.1. Here is the link to the pcap:
>
> http://uploaded.to/file/la8d4t
>
> Danjobkeule
>
>
> > Hi,
> > what's snort version you use please?
> > maybe send pcap to list ?
> > Regards
> > Rmkml
> > Crusoe-Researches.com
> >
> >
> > On Wed, 9 Dec 2009, danjobkeule wrote:
> >
> >> dear community,
> >>
> >> i am wondering about snort processing 3 packets, although in the pcap i
> >> feed snort with are just 2 packets (both are SMB packets).
> >> How can that be? I assume that some preprocessors "generate" a new
> >> packet, but could anybody give an explanation for that?
> >>
> >>
> >>
> >>
> >>
> ===============================================================================
> >>
> >>
> >> Snort processed 3
> >> packets.
> >>
> ===============================================================================
> >>
> >>
> >> Breakdown by protocol (includes rebuilt
> >> packets):
> >> ETH: 3
> >> (100.000%)
> >> ETHdisc: 0
> >> (0.000%)
> >> VLAN: 0
> >> (0.000%)
> >> IPV6: 0
> >> (0.000%)
> >> IP6 EXT: 0
> >> (0.000%)
> >> IP6opts: 0
> >> (0.000%)
> >> IP6disc: 0
> >> (0.000%)
> >> IP4: 3
> >> (100.000%)
> >> IP4disc: 0
> >> (0.000%)
> >> TCP 6: 0
> >> (0.000%)
> >> UDP 6: 0
> >> (0.000%)
> >> ICMP6: 0
> >> (0.000%)
> >> ICMP-IP: 0
> >> (0.000%)
> >> TCP: 2
> >> (66.667%)
> >> UDP: 0
> >> (0.000%)
> >> ICMP: 0
> >> (0.000%)
> >> TCPdisc: 0
> >> (0.000%)
> >> UDPdisc: 0
> >> (0.000%)
> >> ICMPdis: 0
> >> (0.000%)
> >> FRAG: 0
> >> (0.000%)
> >> FRAG 6: 0
> >> (0.000%)
> >> ARP: 0
> >> (0.000%)
> >> EAPOL: 0
> >> (0.000%)
> >> ETHLOOP: 0
> >> (0.000%)
> >> IPX: 0
> >> (0.000%)
> >> OTHER: 0
> >> (0.000%)
> >> DISCARD: 0
> >> (0.000%)
> >> InvChkSum: 0
> >> (0.000%)
> >> S5 G 1: 0
> >> (0.000%)
> >> S5 G 2: 1
> >> (33.333%)
> >> Total:
> >> 3
> >>
> ===============================================================================
> >>
> >>
> >> Action
> >> Stats:
> >>
> >> ALERTS:
> >> 1
> >>
> >> LOGGED:
> >> 1
> >>
> >> PASSED:
> >> 0
> >>
> >>
> ===============================================================================
> >>
> >> Stream5 statistics:
> >> Total sessions: 1
> >> TCP sessions: 1
> >> UDP sessions: 0
> >> ICMP sessions: 0
> >> TCP Prunes: 0
> >> UDP Prunes: 0
> >> ICMP Prunes: 0
> >> TCP StreamTrackers Created: 1
> >> TCP StreamTrackers Deleted: 1
> >> TCP Timeouts: 0
> >> TCP Overlaps: 0
> >> TCP Segments Queued: 1
> >> TCP Segments Released: 1
> >> TCP Rebuilt Packets: 1
> >> TCP Segments Used: 1
> >> TCP Discards: 0
> >> UDP Sessions Created: 0
> >> UDP Sessions Deleted: 0
> >> UDP Timeouts: 0
> >> UDP Discards: 0
> >> Events: 0
> >>
> ===============================================================================
> >>
> >> HTTP Inspect - encodings (Note: stream-reassembled packets included):
> >> POST methods: 0
> >> GET methods: 0
> >> Headers extracted: 0
> >> Header Cookies extracted: 0
> >> Post parameters extracted: 0
> >> Unicode: 0
> >> Double unicode: 0
> >> Non-ASCII representable: 0
> >> Base 36: 0
> >> Directory traversals: 0
> >> Extra slashes ("//"): 0
> >> Self-referencing paths ("./"): 0
> >> Total packets processed: 3
> >>
> ===============================================================================
> >>
> >>
> ===============================================================================
> >>
> >> Snort exiting
> >>
> >>
> ------------------------------------------------------------------------------
> >>
> >> Return on Information:
> >> Google Enterprise Search pays you back
> >> Get the facts.
> >> http://p.sf.net/sfu/google-dev2dev
> >> _______________________________________________
> >> Snort-devel mailing list
> >> Snort-devel at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>
> >
>
>
>
> ------------------------------------------------------------------------------
> Return on Information:
> Google Enterprise Search pays you back
> Get the facts.
> http://p.sf.net/sfu/google-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at ...402...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20091214/9af76731/attachment.html>


More information about the Snort-devel mailing list