[Snort-devel] HTTP INSPECT fails on Mirror Port

Russ Combs (rucombs) rucombs at ...3461...
Thu Aug 7 14:31:34 EDT 2014


________________________________________
From: Anand Raj Manickam [anandrm at ...2499...]
Sent: Thursday, August 07, 2014 8:57 AM
To: Russ Combs (rucombs)
Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...1954...orge.net
Subject: Re: HTTP INSPECT fails on Mirror Port

On Wed, Aug 6, 2014 at 11:46 PM, Russ Combs (rucombs) <rucombs at ...3461...> wrote:
>
> ________________________________________
> From: Anand Raj Manickam [anandrm at ...2499...]
> Sent: Wednesday, August 06, 2014 12:56 PM
> To: Russ Combs (rucombs)
> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...424...eforge.net
> Subject: Re: HTTP INSPECT fails on Mirror Port
>
> On Wed, Aug 6, 2014 at 10:04 PM, Russ Combs (rucombs) <rucombs at ...3461...> wrote:
>>
>> ________________________________________
>> From: Anand Raj Manickam [anandrm at ...2499...]
>> Sent: Wednesday, August 06, 2014 12:17 PM
>> To: Russ Combs (rucombs)
>> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...1685...ceforge.net
>> Subject: Re: HTTP INSPECT fails on Mirror Port
>>
>> On Wed, Aug 6, 2014 at 9:28 PM, Russ Combs (rucombs) <rucombs at ...3461...> wrote:
>>>
>>> ________________________________________
>>> From: Anand Raj Manickam [anandrm at ...2499...]
>>> Sent: Wednesday, August 06, 2014 5:47 AM
>>> To: Russ Combs (rucombs)
>>> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...1656...rceforge.net
>>> Subject: Re: HTTP INSPECT fails on Mirror Port
>>>
>>> On Wed, Aug 6, 2014 at 12:48 AM, Russ Combs (rucombs) <rucombs at ...3483.....> wrote:
>>>>
>>>> ________________________________________
>>>> From: Anand Raj Manickam [anandrm at ...2499...]
>>>> Sent: Tuesday, August 05, 2014 4:05 AM
>>>> To: Russ Combs (rucombs)
>>>> Cc: James Lay; snort-devel at lists.sourceforge.net; snort-users at ...204...urceforge.net
>>>> Subject: Re: HTTP INSPECT fails on Mirror Port
>>>>
>>>>> * You have something weird going on.  Now 6 are are eth:ip4:tcp and 4 are eth:other.  Previously they were eth:ip4:other.
>>>>>
>>>>> * At this point, since it happens only on your interface, I suggest compiling a debug version of Snort so you can catch it and see what's up.  You will need to set breakpoints in decode.c in DecodeEthPkt() and DecodeIPv4Proto() wherever pc.other++ happens and figure out what protocol it sees instead of IP and TCP respectively.
>>>>
>>>> I have the gdb breaks set , i see that in Live packet capture mode ,
>>>> there appears to be a internal fragmentation of the packet though the
>>>> MTU is 1500, the max size of packet in this capture is only 556.
>>>> If you look at the pkt structs data , i see Characters  . But when i
>>>> played with pcap , i never saw character data. ( this is the reason
>>>> why pcap works )
>>>>
>>>> * The problem does not appear to be with the length.  Your 556 byte server response is the actual, full size:
>>>>
>>>> eth:ip4:tcp:http = 14 + 20 + 32 + 490 = 556
>>>>
>>>> * You need to break on the pc.other++ lines in the above two functions and then look at exactly what the next layer protocol is.  That is why decode is failing in these functions.
>>>>
>>>> * For example, in the eth function you can execute this command:
>>>>
>>>> p /x p->eh->ether_type
>>>>
>>>> * And in the ip4 function you can execute this command:
>>>>
>>>> p /x proto
>>>
>>> Sorry .. i forgot to mention , that i did see random values on
>>> ether_type (0x40,0x203a etc) , where as when i ran with the pcap , the
>>> ptype was always 0x8 .
>>> Not sure why the packets are split ..
>>>
>>> * OK, we are getting closer.  Please break on the pc.other++ lines only.  Those are where the packets stop getting decoded because of an unrecognized type.
>>>
>>> * The values you are printing are in network byte order, so the eth 0x80 is actually 0x0800 which indicates IP.  The IP 0x6 is TCP.  The only other value your pcap has is eth 0x0806 which indicates ARP.  The rest of the values below are most likely indicative of the problem you have.
>>>
>>> * Why do you say "the packets are split"?  Do the lengths not correspond to the packets in your pcap?
>> # The reason why i say packets split, if you have closer look at the
>> DecodeEthPkt breakpoints below ,
>> eg: Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>  pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>>  192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701
>>  701    switch(ntohs(p->eh->ether_type))
>>  (gdb) p /x p->eh->ether_type
>>  $32 = 0x203a
>>
>> Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>  pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
>>  added, yet.</p>\n</body></html>\n") at decode.c:701
>>  701    switch(ntohs(p->eh->ether_type))
>>  (gdb) p /x p->eh->ether_type
>>  $35 = 0x7475
>>
>> I do not understand why a 556 byte packet needs to be in two passes,
>> Where as when i played it with pcap i never saw a decode like this .
>> The 'pkt' ptrs where always "", i never saw any characters in them .
>>
>> * Clearly what Snort thinks is the beginning of a packet is actually the middle.  DecodeEthPkt() is the very beginning of processing the raw packet data coming up from the DAQ.  If it is bad at that point, it is not a Snort problem.  Furthermore, sometimes you seem to be getting payload only and other times you are getting full packets.  What DAQ are you using in tap mode?  What kind of tap or span do have feeding these packets to your Snort?
>
> # I did build the DAQ lib as it is ,based on the bt it uses the DAQ. I
> m using daq 2.0.2 version.
> Please let me know if the DAQ needs a specific config to be built and
> the backtrace below.
>
> * Not aware of any PCAP DAQ issues like this.  Wild guess:  something related to mmap.  You can try disabling that, if possible.  You could also try installing a newer libpcap or building that from source.  Maybe someone on the list can help out with that.

Thanks .. your Wildest guess helped , I did disable the mmap code in
libpcap and rebuild . It worked .

* Awesome.

But the issue post that is even if i pass 2 connections the snort does
not catch the Interrupt (Ctrl + C) ..it still continues to run .

* Are you saying this happens as a result of disabling mmap?  This sounds like a new issue and if so needs a new thread.  

Any issues with performance if we disable mmap ?

* Almost certainly degraded.  I suggest another thread to solicit input on that.

>
>    (gdb) bt
>   #0  DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620,
>         pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>         192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
>    #1  0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>,
>      pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>     192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0)
>         at snort.c:1821
>     #2  0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620,
>         pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>        192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704
>     #3  0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW",
>         pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>         192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n")
>          at daq_pcap.c:361
>     #4  0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8,
>        max_packets=0, callback=0x5666f400 <pcap_process_loop>,
>        user=0x57628770 "(\211bW") at ./pcap-linux.c:4071
>     #5  0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0,
>       callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at
>       ./pcap.c:497
>     #6  0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0,
>      callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at
>      daq_pcap.c:379
>     #7  0x5666eb1b in daq_acquire_with_meta (module=0x566bba60
>      <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830
>      <PacketCallback>, metaback=0x0, user=0x0)
>         at daq_mod_ops.c:133
>     #8  0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830
>      <PacketCallback>, user=0x0) at sfdaq.c:540
>      #9  0x565933bf in PacketLoop () at snort.c:3210
>      #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907
>      #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807
>
> # snort --daq-list
>    Available DAQ modules:
>    pcap(v3): readback live multi unpriv
>    nfq(v7): live inline multi
>    ipfw(v3): live inline multi unpriv
>    dump(v2): readback live inline multi unpriv
>
>
>
>>
>>>
>>> Below is the DUMP of gdb on tap mode :
>>>
>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
>>> 650 {
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:701
>>> 701    switch(ntohs(p->eh->ether_type))
>>> (gdb) p /x p->eh->ether_type
>>> $28 = 0x40
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
>>> 650 {
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:701
>>> 701    switch(ntohs(p->eh->ether_type))
>>> (gdb) p /x p->eh->ether_type
>>> $29 = 0x40
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
>>> 650 {
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:701
>>> 701    switch(ntohs(p->eh->ether_type))
>>> (gdb) p /x p->eh->ether_type
>>> $30 = 0x8
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 2, DecodeIP (pkt=0xe7494064 "\255L", len=52, p=0x56c63300
>>> <s_packet>) at decode.c:2586
>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>> (gdb)  p /x p->iph->ip_proto
>>> $31 = 0x6
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>>> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
>>> 650 {
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>>> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:701
>>> 701    switch(ntohs(p->eh->ether_type))
>>> (gdb) p /x p->eh->ether_type
>>> $32 = 0x203a
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
>>> 650 {
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:701
>>> 701    switch(ntohs(p->eh->ether_type))
>>> (gdb) p /x p->eh->ether_type
>>> $33 = 0x8
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
>>> <s_packet>) at decode.c:2586
>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>> (gdb)  p /x p->iph->ip_proto
>>> $34 = 0x6
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
>>> added, yet.</p>\n</body></html>\n") at decode.c:650
>>> 650 {
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
>>> added, yet.</p>\n</body></html>\n") at decode.c:701
>>> 701    switch(ntohs(p->eh->ether_type))
>>> (gdb) p /x p->eh->ether_type
>>> $35 = 0x7475
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
>>> 650 {
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 3, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:701
>>> 701    switch(ntohs(p->eh->ether_type))
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 2, DecodeIP (pkt=0xe7496064 "\255L", len=52, p=0x56c63300
>>> <s_packet>) at decode.c:2586
>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>> (gdb) p /x p->eh->ether_type
>>> $36 = 0x8
>>> (gdb)  p /x p->iph->ip_proto
>>> $37 = 0x6
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>> pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
>>> 650 {
>>> (gdb) c
>>> Continuing.
>>>
>>>
>>>
>>>
>>>>
>>>> I have the GDB dump below , with bt .
>>>>
>>>> I have turned off all offload settings
>>>>
>>>> # ethtool -k eth0
>>>> Offload parameters for eth0:
>>>> rx-checksumming: off
>>>> tx-checksumming: off
>>>> scatter-gather: off
>>>> tcp segmentation offload: off
>>>> udp fragmentation offload: off
>>>> generic segmentation offload: off
>>>>
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe749304a "T") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe749367a "\222h\030\032\b") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe7494042 "") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 2, DecodeIP (pkt=0xe7494064 "\217\033", len=52,
>>>> p=0x56c63300 <s_packet>) at decode.c:2586
>>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>>>> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
>>>> 650 {
>>>> (gdb) bt
>>>> #0  DecodeEthPkt (p=0x56c63300 <s_packet>, pkthdr=0xffffd620,
>>>> pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>>>> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at decode.c:650
>>>> #1  0x56591224 in ProcessPacket (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>>>> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n", ft=0x0)
>>>>     at snort.c:1821
>>>> #2  0x56593a58 in PacketCallback (user=0x0, pkthdr=0xffffd620,
>>>> pkt=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>>>> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n") at snort.c:1704
>>>> #3  0x5666f489 in pcap_process_loop (user=0x57628770 "(\211bW",
>>>> pkth=0xffffd6bc, data=0xe74946d7 "10.2\r\nAccept: */*\r\nHost:
>>>> 192.168.1.110\r\nConnection: Keep-Alive\r\n\r\n")
>>>>     at daq_pcap.c:361
>>>> #4  0xf7d9e8f2 in pcap_read_linux_mmap (handle=0x576289c8,
>>>> max_packets=0, callback=0x5666f400 <pcap_process_loop>,
>>>> user=0x57628770 "(\211bW") at ./pcap-linux.c:4071
>>>> #5  0xf7da09b2 in pcap_dispatch (p=0x576289c8, cnt=0,
>>>> callback=0x5666f400 <pcap_process_loop>, user=0x57628770 "(\211bW") at
>>>> ./pcap.c:497
>>>> #6  0x5666fc26 in pcap_daq_acquire (handle=0x57628770, cnt=0,
>>>> callback=0x56593830 <PacketCallback>, metaback=0x0, user=0x0) at
>>>> daq_pcap.c:379
>>>> #7  0x5666eb1b in daq_acquire_with_meta (module=0x566bba60
>>>> <pcap_daq_module_data>, handle=0x57628770, cnt=0, callback=0x56593830
>>>> <PacketCallback>, metaback=0x0, user=0x0)
>>>>     at daq_mod_ops.c:133
>>>> #8  0x565b4f75 in DAQ_Acquire (max=0, callback=0x56593830
>>>> <PacketCallback>, user=0x0) at sfdaq.c:540
>>>> #9  0x565933bf in PacketLoop () at snort.c:3210
>>>> #10 0x565977f3 in SnortMain (argc=5, argv=0xffffd9e4) at snort.c:907
>>>> #11 0x56597bea in main (argc=841887793, argv=0x63410a0d) at snort.c:807
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe7495042 "") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 2, DecodeIP (pkt=0xe7495064 "", len=52, p=0x56c63300
>>>> <s_packet>) at decode.c:2586
>>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe749585c "is running but no content has been
>>>> added, yet.</p>\n</body></html>\n") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe7496042 "") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 2, DecodeIP (pkt=0xe7496064 "\217\033", len=52,
>>>> p=0x56c63300 <s_packet>) at decode.c:2586
>>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe7496672 "") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 2, DecodeIP (pkt=0xe7496694 "\217\033", len=52,
>>>> p=0x56c63300 <s_packet>) at decode.c:2586
>>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe7497042 "") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 2, DecodeIP (pkt=0xe7497064 "", len=52, p=0x56c63300
>>>> <s_packet>) at decode.c:2586
>>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe7497672 "") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 2, DecodeIP (pkt=0xe7497694 "\217\033", len=52,
>>>> p=0x56c63300 <s_packet>) at decode.c:2586
>>>> 2586        DecodeIPv4Proto(p->iph->ip_proto, pkt+hlen, ip_len, p);
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe749803c "") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, DecodeEthPkt (p=0x56c63300 <s_packet>,
>>>> pkthdr=0xffffd620, pkt=0xe749866c "") at decode.c:650
>>>> 650 {
>>>> (gdb) c
>>>> Continuing.
>>>> c
>>>>
>>>>
>>>>
>>>>




More information about the Snort-devel mailing list