[Snort-devel] Counting Packets Per Second "PCAP ISSUE"
saboor.amtul at ...2499...
Thu Jun 26 00:56:27 EDT 2014
I m running snort in linux backtrack , i installed latest version of snort
and i m trying to make a dynamic preprocessor by modifying sample dpx.c
file of dpx ( example preprocessor)
I am trying to count unique source ips arriving pr second .
I also want to do this with more gap of intervals , i mean i want to count
unique source ips for every fourth second.
I hv to put the above countd values of two consecutive intervals in a
formula then . e.g. i will count for 1st second and then for 4th second .
And use the values in a formula then .i also hv to keep all ip addresses of
both intervals in a buffer . ( Ignoring the packets of 2nd n 3rd interval
). And likewise ill do this for 8th n 11 th second , ignoring packets from
9th n 10th second .
But i m unable to grab time in seconds . Also i m confused if the pcap will
ignore the packets arriving in the in between (that i want to ignore)
intervals or not .
Thanks alot for ur time
On Jun 26, 2014 6:49 AM, "Ed Borgoyn (eborgoyn)" <eborgoyn at ...3461...> wrote:
> I'm not exactly sure what you are trying to accomplish. Nor what
> platform (i.e. OS) you are running on. But some platforms provide a 'high
> resolution' timer. This might be a 64 bit counter with sub-millisecond
> resolution. Generally the OS simply reads a H/W timer and gives it to the
> application without significant overhead. In other words, the time value
> read is very accurate.
> Can you describe in more detail what you want to build?
> The Snort Team
> From: Amtul Saboor <saboor.amtul at ...2499...>
> Date: Wednesday, June 25, 2014 4:09 PM
> To: "<snort-devel at lists.sourceforge.net>" <
> snort-devel at lists.sourceforge.net>
> Subject: [Snort-devel] Counting Packets Per Second "PCAP ISSUE"
> I am making changes in dpx preprocessor. Well the main issue I am facing
> is that I need to calculate packets per second and then use the count in a
> formula, but the "per second" thing is causing trouble for me. Apparently
> PCAP does not keep a record of "per second" packets.
> I have used time function and calculating diff between curr time and
> previous time (in seconds) and using if condition trying to grab packets
> but the interval is not smooth . I am unable to get correct packet count.
> Please suggest what can be done
> Thanks alot
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel