[Snort-users] Re: libpcap 0.7.1
cpw at ...440...
Tue Jan 29 12:45:02 EST 2002
Looks correct. My netscape, shift key, reload just didn't hack it
today. Cleared my cache and things started to work again.
One caveat, the current snort.c incorrectly adds ps_drop to ps_recv to create
a total packets received by the filter. This is actually MY fault, and I have
notified Marty. It's actually worse than that. In particular, here is the
skinny on how libpcap manages the "pcap_stat" structure:
OS applied ps_recv ps_drop
linux before all packets that passed packets that passed the filter
the filter including but dropped due to lack of buffer
those that were dropped. space.
bsd after ALL packets that hit (Same as linux)
the network interface
before being filtered
including packets that
passed the filter and
packets that were dropped.
The above synopsis is based on my read of the two files pcap-linux.c and
I would very much like to change the way pcap_stats works, but the old
hands are tied due to the "api".
Phil Wood, cpw at ...440...
More information about the Snort-users