[Snort-users] Snort not showing all packets

Ned gned at ...12288...
Tue Aug 17 21:40:01 EDT 2004


I have written a preprocessor that prints the packet payload size and 
contents (p->dsize and p->dp). I want to use it to test stream4 and its 
ability to reassemble TCP streams.

My preprocessor  *almost* works. Unfortunately, when I run it through a 
tcpdump file containing a simple wget of an index.html, I do not see the 
first part of the data from the web server. The first packet is there, but 
my preprocessor sees it as a packet of size 0.

Does anyone know what I could try to fix this?

Also, can anyone confirm that the following determines whether a packet is 
a reassembled stream from stream4?

	if (p->packet_flags & PKT_REBUILT_STREAM) {
		printf("This is a rebuilt stream, rebuilt by stream4.\n");
	}

Thanks 





More information about the Snort-users mailing list