[Snort-users] Snort not showing all packets

Martin Roesch roesch at ...1935...
Thu Aug 26 17:15:14 EDT 2004


That ought to do it.  Of course, that's only going to flag pseudo 
packets generated by stream4 instead of the original packets from the 
pcap file...

      -Marty

On Aug 17, 2004, at 9:59 PM, Ned wrote:

> I have written a preprocessor that prints the packet payload size and 
> contents (p->dsize and p->dp). I want to use it to test stream4 and 
> its ability to reassemble TCP streams.
>
> My preprocessor  *almost* works. Unfortunately, when I run it through 
> a tcpdump file containing a simple wget of an index.html, I do not see 
> the first part of the data from the web server. The first packet is 
> there, but my preprocessor sees it as a packet of size 0.
>
> Does anyone know what I could try to fix this?
>
> Also, can anyone confirm that the following determines whether a 
> packet is a reassembled stream from stream4?
>
> 	if (p->packet_flags & PKT_REBUILT_STREAM) {
> 		printf("This is a rebuilt stream, rebuilt by stream4.\n");
> 	}
>
> Thanks
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Enterprise-class Snort-based IDS Infrastructure
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list