[Snort-devel] The detect function

Russ Combs rcombs at ...402...
Wed Jan 2 13:33:20 EST 2013

Suggest looking at your packet(s) in something like wireshark to see what
the encapsulations are.  In wireshark, open the "Frame" to view "Protocols
in frame".  You may see something like "eth:vlan:ip:tcp:http" or
"eth:ip:gre:ppp:ip:tcp:http".  That latter has GRE (you can google that)
and requires that Snort be built with GRE support (enabled by default).
Please send a pcap if that doesn't get you moving.

On Tue, Dec 18, 2012 at 4:57 AM, Shimrit Tzur <shimritd at ...2499...> wrote:

> I can see now that I'm getting into the ifdef GRE in the function and this
> is the reason that it returns.
> Can someone explain me why? what is this gre? the input contains http or
> tcp packets.
> Thanks!
> On Tue, Dec 18, 2012 at 9:39 AM, Shimrit Tzur <shimritd at ...2499...> wrote:
>> Hello all,
>> I know Snort for a while but new in developing it.
>> I'm trying to trace the function flow of a standard http packet.
>> I notice that in the detect function of (detect.c) there is a switch-case
>> statement on "p->outer_family" where the options are AF_INET and AF_INET6.
>> In my case the value is 0 so the program goes to the default option which
>> simply returns so the fpEvalPacket isn't called.
>> My question is what is the meaning of this outer_family field of the
>> packet and why it is 0?
>> Thanks a lot,
>> Shimrit
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130102/ce5acf8a/attachment.html>

More information about the Snort-devel mailing list