[Snort-devel] Counting Packets Per Second "PCAP ISSUE"

Amtul Saboor saboor.amtul at ...2499...
Thu Jun 26 00:56:27 EDT 2014


I m running snort in linux backtrack , i installed latest version of snort
and i m trying to make a dynamic preprocessor by modifying sample dpx.c
file of dpx ( example preprocessor)

I am trying to count unique source ips arriving pr second .

I also want to do this with more gap of intervals , i mean i want to count
unique source ips for every fourth second.

I hv to put the above countd values of two consecutive intervals in a
formula then .  e.g. i will count for 1st second and then for 4th second .
And use the values in a formula then .i also hv to keep all ip addresses of
both intervals in a buffer . ( Ignoring the packets of 2nd n 3rd interval
). And likewise ill do this for 8th n 11 th second , ignoring packets from
9th n 10th second .

But i m unable to grab time in seconds . Also i m confused if the pcap will
ignore the packets arriving in the in between (that i want to ignore)
intervals or not .

Thanks alot for ur time

Regards
On Jun 26, 2014 6:49 AM, "Ed Borgoyn (eborgoyn)" <eborgoyn at ...3461...> wrote:

>  Amtul,
>   I'm not exactly sure what you are trying to accomplish.  Nor what
> platform (i.e. OS) you are running on.  But some platforms provide a 'high
> resolution' timer.  This might be a 64 bit counter with sub-millisecond
> resolution.  Generally the OS simply reads a H/W timer and gives it to the
> application without significant overhead.  In other words, the time value
> read is very accurate.
>
>    Can you describe in more detail what you want to build?
>
>      Ed
>     The Snort Team
>
>
>   From: Amtul Saboor <saboor.amtul at ...2499...>
> Date: Wednesday, June 25, 2014 4:09 PM
> To: "<snort-devel at lists.sourceforge.net>" <
> snort-devel at lists.sourceforge.net>
> Subject: [Snort-devel] Counting Packets Per Second "PCAP ISSUE"
>
>
>  Hello
>
> I am making changes in dpx preprocessor. Well the main issue I am facing
> is that I need to calculate packets per second and then use the count in a
> formula, but the "per second" thing is causing trouble for me. Apparently
> PCAP does not keep a record of "per second" packets.
>
>   I have used time function and calculating diff between curr time and
> previous time (in seconds) and using if condition trying to grab packets
> but the interval is not smooth . I am unable to get correct packet count.
>
> Please suggest what can be done
>
>  Thanks alot
>  --
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20140626/2803018f/attachment.html>


More information about the Snort-devel mailing list