[Snort-users] Snort not showing all packets

Martin Roesch roesch at ...1935...
Thu Aug 26 17:15:14 EDT 2004

That ought to do it.  Of course, that's only going to flag pseudo 
packets generated by stream4 instead of the original packets from the 
pcap file...


On Aug 17, 2004, at 9:59 PM, Ned wrote:

> I have written a preprocessor that prints the packet payload size and 
> contents (p->dsize and p->dp). I want to use it to test stream4 and 
> its ability to reassemble TCP streams.
> My preprocessor  *almost* works. Unfortunately, when I run it through 
> a tcpdump file containing a simple wget of an index.html, I do not see 
> the first part of the data from the web server. The first packet is 
> there, but my preprocessor sees it as a packet of size 0.
> Does anyone know what I could try to fix this?
> Also, can anyone confirm that the following determines whether a 
> packet is a reassembled stream from stream4?
> 	if (p->packet_flags & PKT_REBUILT_STREAM) {
> 		printf("This is a rebuilt stream, rebuilt by stream4.\n");
> 	}
> Thanks
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Enterprise-class Snort-based IDS Infrastructure
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list