[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?

Fyodor fygrave at ...121...
Wed Jan 3 04:32:35 EST 2001


On Tue, Jan 02, 2001 at 02:24:11PM -0500, Martin Roesch wrote:
> > log.c(285):
> > 
> >     if(len > ETHERNET_MTU)
> >     {
> >         if(pv.verbose_flag)
> >         {
> >             printf("Got bogus buffer length (%d) for PrintNetData, defaulting to 16 bytes!\n", len);
> >         }
> > 
> > so here complain if buffer length is bigger that ETHERNET_MTU which is 1500 bytes. This conclusion
> > (IMHO) actually isn't fully correct, other datalinks may have different MTU (normally smaller, but
> > maybe there's a one which is not?).
> 
> There's a little legacy code for you. :) Yes, back in the day when we only
> supported one data link layer that was a good line.  Now it needs to be set on
> the MTU for the current interface type.
> 

Here's the patch. :) Let's us test it before committing it to make sure it does't break things 5 minutes before
we are planning to release the code :). I tested it on FreeBSD/Linux/Solaris 2.6/gcc and HPUX 11.0/gcc, it seems to work there. ;)



Index: log.c
===================================================================
RCS file: /cvsroot/snort/snort/log.c,v
retrieving revision 1.26
diff -u -r1.26 log.c
--- log.c	2001/01/02 08:06:00	1.26
+++ log.c	2001/01/03 09:25:44
@@ -283,7 +283,7 @@
     }
     end = start + (len - 1);    /* set the end of buffer ptr */
 
-    if(len > ETHERNET_MTU)
+    if(len > pv.mtus[0])
     {
         if(pv.verbose_flag)
         {
Index: snort.c
===================================================================
RCS file: /cvsroot/snort/snort/snort.c,v
retrieving revision 1.45
diff -u -r1.45 snort.c
--- snort.c	2001/01/02 08:06:00	1.45
+++ snort.c	2001/01/03 09:25:49
@@ -1371,6 +1371,16 @@
         /* get the device file descriptor */
         pds[num] = pcap_open_live(pv.interfaces[num], snaplen,
                                       pv.promisc_flag ? PROMISC : 0, READ_TIMEOUT, errorbuf);
+
+        /* lookup mtu */
+        pv.mtus[num] = GetIfrMTU(pv.interfaces[num]);
+            
+        if (pv.mtus[num] == -1)
+        {
+            FatalError("ERROR: Can not get MTU of an interface %s!\n", pv.interfaces[num]);
+        }
+ 
+        
     }
     else
     {   /* reading packets from a file */
@@ -1394,6 +1404,9 @@
          */
         snaplen = pcap_snapshot(pds[num]);
 
+        /* captured framesize can not be bigger than snaplen */
+        pv.mtus[num] = snaplen;
+
         printf("snaplen = %d\n", snaplen);
     }
 
@@ -1439,6 +1452,43 @@
                    pcap_geterr(pds[num]));
     }
     return 0;
+}
+
+
+/****************************************************************************
+ *
+ * Function  : GetIfrMTU()
+ * Purpose   : Get Interface MTU value
+ * Arguments : interface name (string)
+ * Returns   : MTU (or -1)
+ *
+ ****************************************************************************/
+
+
+int GetIfrMTU(char *name) {
+    
+    int fd;
+    struct ifreq ifr;
+    int retval;
+
+
+    retval = -1;
+    
+    fd = socket(AF_INET, SOCK_DGRAM, 0);
+    if ( fd < 0) {
+        ErrorMessage("socket");
+        return -1;
+    }
+
+    strncpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
+    if (ioctl(fd, SIOCGIFMTU, &ifr) == 0)
+        retval = ifr.ifr_metric;
+    else
+        ErrorMessage("ioctl(SIOCGIFMTU)");    
+
+    close(fd);
+    
+ return retval;
 }
 
 /****************************************************************************
Index: snort.h
===================================================================
RCS file: /cvsroot/snort/snort/snort.h,v
retrieving revision 1.18
diff -u -r1.18 snort.h
--- snort.h	2001/01/02 10:40:57	1.18
+++ snort.h	2001/01/03 09:25:50
@@ -166,6 +166,7 @@
     char smbmsg_dir[STD_BUF];
     char pid_path[STD_BUF];
     char *interfaces[MAX_INTERFACES]; 
+    int   mtus[MAX_INTERFACES];
 #define interface interfaces[0] /* backwards compatibility */
     char *pcap_cmd;
     char *alert_filename;
@@ -251,6 +252,7 @@
 void InitializeInterfaces(void);
 void *InterfaceThread(void *);
 int OpenPcap(char *, int);
+int GetIfrMTU(char *);
 void DefineIfaceVar(char *,u_char *, u_char *);
 int DisplayBanner();
 int SetPktProcessor();




More information about the Snort-users mailing list