[Snort-devel] Missing value in manual definition of u2 packet record

Avery Rozar avery.rozar at ...3576...
Mon Aug 17 15:43:17 EDT 2015


I noticed the same, and was told to use the source (Luke)....

It's all here:
src/sfutil/Unified2_common.h

On Mon, Aug 17, 2015 at 2:10 PM, fear nothing <fear.nothing at ...2499...>
wrote:

> I believe I have found an error in the manual.snort.org documentation for
> the unified2 output. Specifically, the structure for Unified2 Packet
> records <http://manual.snort.org/node44.html#SECTION00632000000000000000>
> is currently:
>
>     sensor id               4 bytes
>     event id                4 bytes
>     event seconds           4 bytes
>     event microseconds      4 bytes
>     linktype                4 bytes
>     packet length           4 bytes
>     packet data             <variable length>
>
>
> The actual output of my device (currently running 2.9.7.3) is more
> accurately represented by:
>
>     sensor id               4 bytes
>     event id                4 bytes
>     event second            4 bytes
>     packet second           4 bytes
>     packet microsecond      4 bytes
>     linktype                4 bytes
>     packet length           4 bytes
>     packet data             <variable length>
>
>
> The c header
> <https://github.com/jasonish/snort/blob/master/src/sfutil/Unified2_common.h#L135>
> seems to support this belief. It's a small thing but could save headaches
> for the next person crazy enough to start parsing the unified2 output
> themselves :)
>
> Regards,
> fearnothing
> github.com/scherma
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150817/0e29f4aa/attachment.html>


More information about the Snort-devel mailing list