[Snort-users] MMAP and odd looking stats

Todd Wease twease at ...1935...
Thu Nov 15 15:24:20 EST 2007


Turns out that the MMAP pcap does not accumulate stats, so the 
workaround for now is to change in configure.in:
...
        #include <pcap.h>
        #include <string.h>
        extern char pcap_version[];
        ]],
        [[
           if (strcmp(pcap_version, "0.9.0") < 0)
               return 1;
        ]])],
        [libpcap_version_09="yes"],
        [libpcap_version_09="no"])
...

to

...
        #include <pcap.h>
        #include <string.h>
        extern char pcap_version[];
        ]],
        [[
           if (strcmp(pcap_version, "0.9x") == 0)
               return 1;

           if (strcmp(pcap_version, "0.9.0") < 0)
               return 1;
        ]])],
        [libpcap_version_09="yes"],
        [libpcap_version_09="no"])


This fix to this will be in Snort 2.8.1

Thanks,
Todd


Todd Wease wrote:
> Hi John.  It's a 'problem'.  libpcap versions 0.9.1 - 0.9.4 have an
> issue in linux of doubling received and dropped stats so we do a couple
> of configure checks to determine whether or not the pcap version falls
> in this range.  Phil Wood's pcap has a version of '0.9x', so our basic
> check is determining that we need to halve the stats that pcaps gives
> us.  I'm going to write a bug on this, but don't expect the fix to come
> out any time soon.  As a workaround, those compiling snort from source
> can change the following in 'configure' and reconfigure and build snort.
>
> Look for this in 'configure':
>
> if (strcmp(pcap_version, "0.9.5") < 0)
>                return 1;
>
> Change the 'return 1' to 'return 0'.
>
> I haven't actually tested this, so let us know whether it works or not.
>  Thanks, John, for bringing this to our attention.
>
> Todd
>
>
>
> John Hally wrote:
>   
>> Hello all,
>>
>> I've been playing around with mmap on fedora core6 and things seem to be
>> working ok, but I noticed that the highlighted % numbers 'Analyzed' and
>> 'Outstanding' are really strange looking.  Any idea if this is a
>> 'problem' or just an anomaly?
>>
>> Thanks!
>>
>>
>>
>> Nov  8 12:08:24 sensor snort[9258]: Snort initialization completed
>> successfully (pid=9258) 
>> Nov  8 12:08:24 sensor snort[9258]: Using PCAP_FRAMES = 32768 
>> Nov  8 12:14:53 sensor snort[9258]: *** Caught Term-Signal 
>> Nov  8 12:14:53 sensor snort[9258]:
>> ========================================================================
>> ======= 
>> Nov  8 12:14:53 sensor snort[9258]: Packet Wire Totals: 
>> Nov  8 12:14:53 sensor snort[9258]:    Received:      4718727 
>> Nov  8 12:14:53 sensor snort[9258]:    Analyzed:      9434571 (199.939%)
>> Nov  8 12:14:53 sensor snort[9258]:     Dropped:            0 (0.000%) 
>> Nov  8 12:14:53 sensor snort[9258]: Outstanding: 18446744073704835772
>> (390926283162913.125%) 
>> Nov  8 12:14:53 sensor snort[9258]:
>> ========================================================================
>> =======
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc.
>> Still grepping through log files to find problems?  Stop.
>> Now Search log events and configuration files using AJAX and a browser.
>> Download your FREE copy of Splunk now >> http://get.splunk.com/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>     
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>   





More information about the Snort-users mailing list