[Snort-devel] SFSnortPacket: Problem when getting packet payload

Todd Wease twease at ...402...
Tue May 14 10:15:36 EDT 2013

Hi Hai,

Looks like the payload_size may be zero and payload pointer not NULL if
there isn't any payload after, say, the TCP header - if the payload_size if
0, you shouldn't be accessing the payload pointer.  It may be that you're
running in passive or post-ack mode and getting both a stream5 reassembled
packet and the ACK (no payload) that caused the reassembly.  You may want
to check for just reassembled packets.  The SFSnortPacket header has a
flags member and with PAF enabled you can test for a full PDU:

PacketHasFullPDU(p) || p->flags & FLAG_REBUILT_STREAM     // p is an
SFSnortPacket instance

If you're still having issues and you don't mind, can you send your code
(or at least the relevant part), a pcap and the packets you think should
have a payload_size > 0 when they get to your preprocessor (off list to me
if you prefer)?


On Tue, May 14, 2013 at 6:39 AM, Hai Minh Nguyen <lightsea90 at ...2499...>wrote:

> Hi,
> I'm writing a dynamic preprocessor which examines all packet payload. I
> found that SFSnortPacket contained 2 members: payload (pointer) and
> payload_size. I used these 2 members to read packet payload. But when I
> tested with those packets of a HTTP stream (definitely payload existed), it
> shown that payload_size = 0 and payload != NULL. I thought if payload_size
> = 0 then payload = NULL :|
> My questions:
> 1. If payload_size = 0, there's no payload, just header and payload =
> NULL. Is this true? What about my case?
> 2. How to examine packet payload? (Is that my way right? How to fix? Any
> other solution?)
> --
> Kiếm ma độc cô cầu bại - Ôi, một đời oanh liệt, chỉ mong được chiến bại
> một lần, nhưng chưa ai qua nổi quá tam chiêu!!!
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130514/09b31bd0/attachment.html>

More information about the Snort-devel mailing list