[Snort-users] MMAP and odd looking stats

Todd Wease twease at ...1935...
Thu Nov 8 13:55:28 EST 2007


Hi John.  It's a 'problem'.  libpcap versions 0.9.1 - 0.9.4 have an
issue in linux of doubling received and dropped stats so we do a couple
of configure checks to determine whether or not the pcap version falls
in this range.  Phil Wood's pcap has a version of '0.9x', so our basic
check is determining that we need to halve the stats that pcaps gives
us.  I'm going to write a bug on this, but don't expect the fix to come
out any time soon.  As a workaround, those compiling snort from source
can change the following in 'configure' and reconfigure and build snort.

Look for this in 'configure':

if (strcmp(pcap_version, "0.9.5") < 0)
               return 1;

Change the 'return 1' to 'return 0'.

I haven't actually tested this, so let us know whether it works or not.
 Thanks, John, for bringing this to our attention.

Todd



John Hally wrote:
> 
> Hello all,
> 
> I've been playing around with mmap on fedora core6 and things seem to be
> working ok, but I noticed that the highlighted % numbers 'Analyzed' and
> 'Outstanding' are really strange looking.  Any idea if this is a
> 'problem' or just an anomaly?
> 
> Thanks!
> 
> 
> 
> Nov  8 12:08:24 sensor snort[9258]: Snort initialization completed
> successfully (pid=9258) 
> Nov  8 12:08:24 sensor snort[9258]: Using PCAP_FRAMES = 32768 
> Nov  8 12:14:53 sensor snort[9258]: *** Caught Term-Signal 
> Nov  8 12:14:53 sensor snort[9258]:
> ========================================================================
> ======= 
> Nov  8 12:14:53 sensor snort[9258]: Packet Wire Totals: 
> Nov  8 12:14:53 sensor snort[9258]:    Received:      4718727 
> Nov  8 12:14:53 sensor snort[9258]:    Analyzed:      9434571 (199.939%)
> Nov  8 12:14:53 sensor snort[9258]:     Dropped:            0 (0.000%) 
> Nov  8 12:14:53 sensor snort[9258]: Outstanding: 18446744073704835772
> (390926283162913.125%) 
> Nov  8 12:14:53 sensor snort[9258]:
> ========================================================================
> =======
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list