[Snort-devel] Snort processes more packets than in pcap?

Russ Combs rcombs at ...402...
Mon Dec 14 09:35:55 EST 2009


On Mon, Dec 14, 2009 at 9:14 AM, Todd Wease <twease at ...402...> wrote:

> The total count includes packets off the wire as well as reassembled
> packets.  The extra packet is probably a stream reassembled one.
>

Your original e-mail included this count:

S5 G 2: 1

which, as others indicated, is a reassembled "pseudo"-packet.  In this case,
when the session was cleaned up, the queued server data was flushed
producing this packet.

>
> On 12/14/2009 09:03 AM, danjobkeule wrote:
> > Hi, i'm using snort-2.8.3.1. Here is the link to the pcap:
> >
> > http://uploaded.to/file/la8d4t
> >
> > Danjobkeule
> >
> >
> >> Hi,
> >> what's snort version you use please?
> >> maybe send pcap to list ?
> >> Regards
> >> Rmkml
> >> Crusoe-Researches.com
> >>
> >>
> >> On Wed, 9 Dec 2009, danjobkeule wrote:
> >>
> >>> dear community,
> >>>
> >>> i am wondering about snort processing 3 packets, although in the pcap i
> >>> feed snort with are just 2 packets (both are SMB packets).
> >>> How can that be? I assume that some preprocessors "generate" a new
> >>> packet, but could anybody give an explanation for that?
> >>>
> >>>
> >>>
> >>>
> >>>
> ===============================================================================
> >>>
> >>>
> >>> Snort processed 3
> >>> packets.
> >>>
> ===============================================================================
> >>>
> >>>
> >>> Breakdown by protocol (includes rebuilt
> >>> packets):
> >>> ETH: 3
> >>> (100.000%)
> >>> ETHdisc: 0
> >>> (0.000%)
> >>> VLAN: 0
> >>> (0.000%)
> >>> IPV6: 0
> >>> (0.000%)
> >>> IP6 EXT: 0
> >>> (0.000%)
> >>> IP6opts: 0
> >>> (0.000%)
> >>> IP6disc: 0
> >>> (0.000%)
> >>> IP4: 3
> >>> (100.000%)
> >>> IP4disc: 0
> >>> (0.000%)
> >>> TCP 6: 0
> >>> (0.000%)
> >>> UDP 6: 0
> >>> (0.000%)
> >>> ICMP6: 0
> >>> (0.000%)
> >>> ICMP-IP: 0
> >>> (0.000%)
> >>> TCP: 2
> >>> (66.667%)
> >>> UDP: 0
> >>> (0.000%)
> >>> ICMP: 0
> >>> (0.000%)
> >>> TCPdisc: 0
> >>> (0.000%)
> >>> UDPdisc: 0
> >>> (0.000%)
> >>> ICMPdis: 0
> >>> (0.000%)
> >>> FRAG: 0
> >>> (0.000%)
> >>> FRAG 6: 0
> >>> (0.000%)
> >>> ARP: 0
> >>> (0.000%)
> >>> EAPOL: 0
> >>> (0.000%)
> >>> ETHLOOP: 0
> >>> (0.000%)
> >>> IPX: 0
> >>> (0.000%)
> >>> OTHER: 0
> >>> (0.000%)
> >>> DISCARD: 0
> >>> (0.000%)
> >>> InvChkSum: 0
> >>> (0.000%)
> >>> S5 G 1: 0
> >>> (0.000%)
> >>> S5 G 2: 1
> >>> (33.333%)
> >>> Total:
> >>> 3
> >>>
> ===============================================================================
> >>>
> >>>
> >>> Action
> >>> Stats:
> >>>
> >>> ALERTS:
> >>> 1
> >>>
> >>> LOGGED:
> >>> 1
> >>>
> >>> PASSED:
> >>> 0
> >>>
> >>>
> ===============================================================================
> >>>
> >>> Stream5 statistics:
> >>> Total sessions: 1
> >>> TCP sessions: 1
> >>> UDP sessions: 0
> >>> ICMP sessions: 0
> >>> TCP Prunes: 0
> >>> UDP Prunes: 0
> >>> ICMP Prunes: 0
> >>> TCP StreamTrackers Created: 1
> >>> TCP StreamTrackers Deleted: 1
> >>> TCP Timeouts: 0
> >>> TCP Overlaps: 0
> >>> TCP Segments Queued: 1
> >>> TCP Segments Released: 1
> >>> TCP Rebuilt Packets: 1
> >>> TCP Segments Used: 1
> >>> TCP Discards: 0
> >>> UDP Sessions Created: 0
> >>> UDP Sessions Deleted: 0
> >>> UDP Timeouts: 0
> >>> UDP Discards: 0
> >>> Events: 0
> >>>
> ===============================================================================
> >>>
> >>> HTTP Inspect - encodings (Note: stream-reassembled packets included):
> >>> POST methods: 0
> >>> GET methods: 0
> >>> Headers extracted: 0
> >>> Header Cookies extracted: 0
> >>> Post parameters extracted: 0
> >>> Unicode: 0
> >>> Double unicode: 0
> >>> Non-ASCII representable: 0
> >>> Base 36: 0
> >>> Directory traversals: 0
> >>> Extra slashes ("//"): 0
> >>> Self-referencing paths ("./"): 0
> >>> Total packets processed: 3
> >>>
> ===============================================================================
> >>>
> >>>
> ===============================================================================
> >>>
> >>> Snort exiting
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>>
> >>> Return on Information:
> >>> Google Enterprise Search pays you back
> >>> Get the facts.
> >>> http://p.sf.net/sfu/google-dev2dev
> >>> _______________________________________________
> >>> Snort-devel mailing list
> >>> Snort-devel at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>>
> >>
> >
> >
> >
> ------------------------------------------------------------------------------
> > Return on Information:
> > Google Enterprise Search pays you back
> > Get the facts.
> > http://p.sf.net/sfu/google-dev2dev
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
> ------------------------------------------------------------------------------
> Return on Information:
> Google Enterprise Search pays you back
> Get the facts.
> http://p.sf.net/sfu/google-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20091214/733793a0/attachment.html>


More information about the Snort-devel mailing list