[Snort-devel] Missing value in manual definition of u2 packet record

fear nothing fear.nothing at ...2499...
Mon Aug 17 14:10:53 EDT 2015


I believe I have found an error in the manual.snort.org documentation
for the unified2 output. Specifically, the structure for Unified2 Packet
records
<http://manual.snort.org/node44.html#SECTION00632000000000000000> is
currently:

    sensor id               4 bytes
    event id                4 bytes
    event seconds           4 bytes
    event microseconds      4 bytes
    linktype                4 bytes
    packet length           4 bytes
    packet data             <variable length>


The actual output of my device (currently running 2.9.7.3) is more
accurately represented by:

    sensor id               4 bytes
    event id                4 bytes
    event second            4 bytes    
    packet second           4 bytes
    packet microsecond      4 bytes
    linktype                4 bytes
    packet length           4 bytes
    packet data             <variable length>


The c header
<https://github.com/jasonish/snort/blob/master/src/sfutil/Unified2_common.h#L135>
seems to support this belief. It's a small thing but could save
headaches for the next person crazy enough to start parsing the unified2
output themselves :)

Regards,
fearnothing
github.com/scherma
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150817/537c68b9/attachment.html>


More information about the Snort-devel mailing list