<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>Hi Pablo,</div>
<div><br>
</div>
<div>I am pretty sure that the Jumbo frame is the issue for PCAP. They are even bigger than 60000, which is not normal. </div>
<div><br>
</div>
<div>For the interface one, there are lots of discards. Not all traffic are processed by snort, therefore there are lots gaps in the TCP stream. You can try inline mode, instead of passive. Either there is some configuration issue for interface, or the speed
 of passive interface might be too high to be processed by your CPU.</div>
<div><br>
</div>
<div>Best,</div>
<div>Hui.</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Pablo Cantos Polaino <<a href="mailto:pcantos@...16842...">pcantos@...16842...</a>><br>
<span style="font-weight:bold">Date: </span>Friday, May 8, 2015 at 5:59 PM<br>
<span style="font-weight:bold">To: </span>Hui Cao <<a href="mailto:huica@...589...">huica@...589...</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a>" <<a href="mailto:snort-users@lists.sourceforge.net">snort-users@...974...rceforge.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Snort-users] File preprocessor fails to capture files<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr">
<div>Hi Hui,</div>
<div><br>
</div>
<div>I've replaced config paf_max: 16000 by 60000 as you propose.</div>
<div><br>
</div>
<div>File type was not identified because I had disabled type_id option in preprocessor file_inspect. I've replayed the tests with paf_max = 60000 and both type_id enabled and disabled. In both cases the capture files are the same (number and size) when sniffering
 from an interface and reading from a PCAP file. So I'm pasting below the exit stats when type_id is enabled and paf_max = 60000:</div>
<div><br>
</div>
<div>
<div style="font-size:12.8000001907349px">Exit stats when reading the PCAP file <span style="font-size:12.8000001907349px">and type_id enabled:</span></div>
</div>
<div><br>
</div>
<div><span style="font-size:12.8000001907349px">===============================================================================</span><br>
</div>
<div>
<div style=""><span style="font-size:12.8000001907349px">Run time for packet processing was 3.978146 seconds</span></div>
<div style=""><span style="font-size:12.8000001907349px">Snort processed 3326 packets.</span></div>
<div style=""><span style="font-size:12.8000001907349px">Snort ran for 0 days 0 hours 0 minutes 3 seconds</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Pkts/sec:         1108</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Memory usage summary:</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total non-mmapped bytes (arena):       10190848</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Bytes in mapped regions (hblkhd):      122081280</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total allocated space (uordblks):      8072896</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total free space (fordblks):           2117952</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Topmost releasable block (keepcost):   133008</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Packet I/O Totals:</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Received:         3326</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Analyzed:         3326 (100.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    Dropped:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Filtered:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">Outstanding:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Injected:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Breakdown by protocol (includes rebuilt packets):</span></div>
<div style=""><span style="font-size:12.8000001907349px">        Eth:         3333 (100.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       VLAN:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        IP4:         3333 (100.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       Frag:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       ICMP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        UDP:           40 (  1.200%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        TCP:         3293 ( 98.800%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        IP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP6 Ext:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   IP6 Opts:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Frag6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      ICMP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       UDP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       TCP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Teredo:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    ICMP-IP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP4/IP4:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP4/IP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP6/IP4:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP6/IP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        GRE:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE Eth:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   GRE VLAN:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE IP4:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE IP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">GRE IP6 Ext:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   GRE PPTP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE ARP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE IPX:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   GRE Loop:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       MPLS:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        ARP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        IPX:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Eth Loop:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Eth Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   IP4 Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   IP6 Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   TCP Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   UDP Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">  ICMP Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">All Discard:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Other:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">Bad Chk Sum:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    Bad TTL:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     S5 G 1:            3 (  0.090%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     S5 G 2:            4 (  0.120%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Total:         3333</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Action Stats:</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Alerts:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Logged:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Passed:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">Limits:</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Match:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Queue:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">        Log:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Event:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Alert:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">Verdicts:</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Allow:         3326 (100.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Block:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    Replace:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Whitelist:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Blacklist:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Ignore:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Frag3 statistics:</span></div>
<div style=""><span style="font-size:12.8000001907349px">        Total Fragments: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Frags Reassembled: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               Discards: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">          Memory Faults: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               Timeouts: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               Overlaps: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">              Anomalies: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                 Alerts: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                  Drops: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">     FragTrackers Added: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">    FragTrackers Dumped: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">FragTrackers Auto Freed: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">    Frag Nodes Inserted: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Frag Nodes Deleted: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Stream statistics:</span></div>
<div style=""><span style="font-size:12.8000001907349px">            Total sessions: 24</span></div>
<div style=""><span style="font-size:12.8000001907349px">              TCP sessions: 14</span></div>
<div style=""><span style="font-size:12.8000001907349px">              UDP sessions: 10</span></div>
<div style=""><span style="font-size:12.8000001907349px">             ICMP sessions: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               IP sessions: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                TCP Prunes: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                UDP Prunes: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               ICMP Prunes: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                 IP Prunes: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">TCP StreamTrackers Created: 14</span></div>
<div style=""><span style="font-size:12.8000001907349px">TCP StreamTrackers Deleted: 14</span></div>
<div style=""><span style="font-size:12.8000001907349px">              TCP Timeouts: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">              TCP Overlaps: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">       TCP Segments Queued: 2394</span></div>
<div style=""><span style="font-size:12.8000001907349px">     TCP Segments Released: 2394</span></div>
<div style=""><span style="font-size:12.8000001907349px">       TCP Rebuilt Packets: 793</span></div>
<div style=""><span style="font-size:12.8000001907349px">         TCP Segments Used: 2393</span></div>
<div style=""><span style="font-size:12.8000001907349px">              TCP Discards: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                  TCP Gaps: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      UDP Sessions Created: 10</span></div>
<div style=""><span style="font-size:12.8000001907349px">      UDP Sessions Deleted: 10</span></div>
<div style=""><span style="font-size:12.8000001907349px">              UDP Timeouts: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">              UDP Discards: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                    Events: 1</span></div>
<div style=""><span style="font-size:12.8000001907349px">           Internal Events: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">           TCP Port Filter</span></div>
<div style=""><span style="font-size:12.8000001907349px">                  Filtered: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                 Inspected: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                   Tracked: 3286</span></div>
<div style=""><span style="font-size:12.8000001907349px">           UDP Port Filter</span></div>
<div style=""><span style="font-size:12.8000001907349px">                  Filtered: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                 Inspected: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                   Tracked: 10</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">HTTP Inspect - encodings (Note: stream-reassembled packets included):</span></div>
<div style=""><span style="font-size:12.8000001907349px">    POST methods:                         0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    GET methods:                          10        </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP Request Headers extracted:       10        </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP Request Cookies extracted:       0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Post parameters extracted:            0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP response Headers extracted:      10        </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP Response Cookies extracted:      0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Unicode:                              0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Double unicode:                       0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Non-ASCII representable:              0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Directory traversals:                 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Extra slashes ("//"):                 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Self-referencing paths ("./"):        0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP Response Gzip packets extracted: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Gzip Compressed Data Processed:       n/a       </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Gzip Decompressed Data Processed:     n/a       </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Total packets processed:              2433      </span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">SMTP Preprocessor Statistics</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total sessions                                    : 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Max concurrent sessions                           : 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">dcerpc2 Preprocessor Statistics</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total sessions: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">SIP Preprocessor Statistics</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total sessions: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">File Preprocessor Statistics</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file type callbacks:            7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file signature callbacks:       7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files would saved to disk:      7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files saved to disk:            7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file data saved to disk:        47466737  bytes</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files duplicated:               0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files reserving failed:         0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file capture min:               0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file capture max:               0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file capture memcap:            0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files reading failed:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file agent memcap failures:     0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files sent:                     0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file data sent:                 0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file transfer failures:         0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">File type stats:</span></div>
<div style=""><span style="font-size:12.8000001907349px">         Type              Download   (Bytes)      Upload     (Bytes)</span></div>
<div style=""><span style="font-size:12.8000001907349px">          GZ( 33)          2          6848054      0          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">         MP3( 64)          2          37257592     0          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">        JPEG( 70)          2          3360645      0          0          </span><br>
</div>
<div style=""><span style="font-size:12.8000001907349px">
<div>         BMP(148)          1          446          0          0          </div>
<div><span style="font-size:12.8000001907349px">            Total          7          </span><span style="font-size:12.8000001907349px">47466737</span><span style="font-size:12.8000001907349px">     0          0          </span><br>
</div>
</span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">File signature stats:</span></div>
<div style=""><span style="font-size:12.8000001907349px">         Type              Download   Upload </span></div>
<div style=""><span style="font-size:12.8000001907349px">          GZ( 33)          2          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">         MP3( 64)          2          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">         PNG( 69)          1          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">        JPEG( 70)          2          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">            Total          7          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">File type verdicts:</span></div>
<div style=""><span style="font-size:12.8000001907349px">        UNKNOWN:           7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">            LOG:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">           STOP:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">          BLOCK:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">         REJECT:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">        PENDING:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">   STOP CAPTURE:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">          Total:           7          </span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">File signature verdicts:</span></div>
<div style=""><span style="font-size:12.8000001907349px">        UNKNOWN:           7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">            LOG:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">           STOP:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">          BLOCK:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">         REJECT:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">        PENDING:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">   STOP CAPTURE:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">          Total:           7          </span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files processed:             10         </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files data processed:        47473897  bytes </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files buffered:              7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files released:              7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files freed:                 0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files captured:              7          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files within one packet:     1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers allocated:           1452       </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers freed:               0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers released:            1452       </span></div>
<div style=""><span style="font-size:12.8000001907349px">Maximum file buffers used:         759        </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers free errors:         0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers release errors:      0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total memcap failures:             0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total memcap failures at reserve:  0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total reserve failures:            0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total file capture size min:       0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total file capture size max:       0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total capture max before reserve:  0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total file signature max:          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Maximum buffers can allocate:      3196       </span></div>
<div style=""><span style="font-size:12.8000001907349px">Number of buffers in use:          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Number of buffers in free list:    1744       </span></div>
<div style=""><span style="font-size:12.8000001907349px">Number of buffers in release list: 1452       </span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Snort exiting</span></div>
</div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">This time the captured files have changed:</span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px"># ls -lS</span></div>
<div style=""><span style="font-size:12.8000001907349px">
<div>-rw------- 1 root root 24211979 May  8 21:20 8452B621DC334D1FD44470A80540CBEF2F6869AF851B9E8C684EF9402016F692</div>
<div>-rw------- 1 root root 13045613 May  8 21:20 5CF142947C2957EE648457A91B69FB82F088F31205030F9A77B2AD827228C6E9</div>
<div>-rw------- 1 root root  6352738 May  8 21:20 DB57C532919D9ABABAC127F29DBDC05ED832394880E46CAD81A5DDE713CCB4BE</div>
<div>-rw------- 1 root root  2936119 May  8 21:20 B4127F43A3F455523B81179CC11AA4F28FC27F4C041D20E28AA08A32D85CB757</div>
<div>-rw------- 1 root root   495316 May  8 21:20 A294AA3D01CD8902BF842D320E7F2C043AF9EAD95D0E7198C3B71A0DBC9D253C</div>
<div>-rw------- 1 root root   424526 May  8 21:20 8863DB1EC4B02D5BCC1FB4BD03D220F7458136342CDD47CE507A5B886C6BB56C</div>
<div>-rw------- 1 root root      446 May  8 21:20 <span style="font-size:12.8000001907349px">8D490C71A27631CF6A476F68C40965</span><span style="font-size:12.8000001907349px">5CB63BF32C17846A3C3C125A79046D</span><span style="font-size:12.8000001907349px">B2C1</span></div>
</span></div>
<div style=""><br>
</div>
<div style=""><span style="font-size:12.8000001907349px">But they are still different from the original ones:</span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px"># ls -lS</span></div>
<div style="">
<div style="font-size:12.8000001907349px">-rw-r--r-- 1 root root 1044381696 Feb 18 20:12 ubuntu-14.04.2-desktop-amd64.iso</div>
<div style="font-size:12.8000001907349px">-rw-r--r-- 1 root root  375187792 May  8 21:07 VMware-viclient.exe</div>
<div style="font-size:12.8000001907349px">-rw-r--r-- 1 root root  101688487 Jul 10  2014 oversize_pdf_test_0.pdf</div>
<div style="font-size:12.8000001907349px">-rw-r--r-- 1 root root   14955972 May  8 21:07 MakeUp.mov</div>
<div style="font-size:12.8000001907349px">-rw-r--r-- 1 root root    6094376 May  8 21:07 video1.avi</div>
<div style="font-size:12.8000001907349px">-rw-r--r-- 1 root root    2187725 May  8 21:07 Fighter.mpg</div>
<div style="font-size:12.8000001907349px">-rw-r--r-- 1 root root        446 Mar 22  2013 tux-sw.bmp</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px">##########################################################################</div>
<div style="font-size:12.8000001907349px">##########################################################################</div>
<div style="font-size:12.8000001907349px"><br>
</div>
<div style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Exit stats when listening from interface and type_id enabled:</span><br>
</div>
<div style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style="">
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Run time for packet processing was 108.388974 seconds</span></div>
<div style=""><span style="font-size:12.8000001907349px">Snort processed 256250 packets.</span></div>
<div style=""><span style="font-size:12.8000001907349px">Snort ran for 0 days 0 hours 1 minutes 48 seconds</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Pkts/min:       256250</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Pkts/sec:         2372</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Memory usage summary:</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total non-mmapped bytes (arena):       10100736</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Bytes in mapped regions (hblkhd):      122081280</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total allocated space (uordblks):      8073952</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total free space (fordblks):           2026784</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Topmost releasable block (keepcost):   108544</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Packet I/O Totals:</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Received:       256250</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Analyzed:       256250 (100.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    Dropped:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Filtered:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">Outstanding:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Injected:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Breakdown by protocol (includes rebuilt packets):</span></div>
<div style=""><span style="font-size:12.8000001907349px">        Eth:       256255 (100.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       VLAN:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        IP4:       256130 ( 99.951%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       Frag:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       ICMP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        UDP:           24 (  0.009%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        TCP:       132229 ( 51.601%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        IP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP6 Ext:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   IP6 Opts:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Frag6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      ICMP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       UDP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       TCP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Teredo:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    ICMP-IP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP4/IP4:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP4/IP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP6/IP4:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    IP6/IP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        GRE:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE Eth:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   GRE VLAN:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE IP4:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE IP6:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">GRE IP6 Ext:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   GRE PPTP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE ARP:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    GRE IPX:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   GRE Loop:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">       MPLS:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        ARP:          125 (  0.049%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">        IPX:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Eth Loop:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   Eth Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   IP4 Disc:       123866 ( 48.337%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   IP6 Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   TCP Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">   UDP Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">  ICMP Disc:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">All Discard:       123866 ( 48.337%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Other:           11 (  0.004%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">Bad Chk Sum:          362 (  0.141%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    Bad TTL:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     S5 G 1:            2 (  0.001%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     S5 G 2:            3 (  0.001%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Total:       256255</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Action Stats:</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Alerts:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Logged:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Passed:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">Limits:</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Match:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Queue:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">        Log:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Event:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Alert:            0</span></div>
<div style=""><span style="font-size:12.8000001907349px">Verdicts:</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Allow:       228770 ( 89.276%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Block:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">    Replace:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Whitelist:        27480 ( 10.724%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Blacklist:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Ignore:            0 (  0.000%)</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Frag3 statistics:</span></div>
<div style=""><span style="font-size:12.8000001907349px">        Total Fragments: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">      Frags Reassembled: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               Discards: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">          Memory Faults: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               Timeouts: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               Overlaps: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">              Anomalies: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                 Alerts: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                  Drops: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">     FragTrackers Added: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">    FragTrackers Dumped: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">FragTrackers Auto Freed: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">    Frag Nodes Inserted: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">     Frag Nodes Deleted: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Stream statistics:</span></div>
<div style=""><span style="font-size:12.8000001907349px">            Total sessions: 20</span></div>
<div style=""><span style="font-size:12.8000001907349px">              TCP sessions: 14</span></div>
<div style=""><span style="font-size:12.8000001907349px">              UDP sessions: 6</span></div>
<div style=""><span style="font-size:12.8000001907349px">             ICMP sessions: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               IP sessions: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                TCP Prunes: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                UDP Prunes: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">               ICMP Prunes: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                 IP Prunes: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">TCP StreamTrackers Created: 14</span></div>
<div style=""><span style="font-size:12.8000001907349px">TCP StreamTrackers Deleted: 14</span></div>
<div style=""><span style="font-size:12.8000001907349px">              TCP Timeouts: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">              TCP Overlaps: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">       TCP Segments Queued: 6930</span></div>
<div style=""><span style="font-size:12.8000001907349px">     TCP Segments Released: 6930</span></div>
<div style=""><span style="font-size:12.8000001907349px">       TCP Rebuilt Packets: 6331</span></div>
<div style=""><span style="font-size:12.8000001907349px">         TCP Segments Used: 6903</span></div>
<div style=""><span style="font-size:12.8000001907349px">              TCP Discards: 7</span></div>
<div style=""><span style="font-size:12.8000001907349px">                  TCP Gaps: 6570</span></div>
<div style=""><span style="font-size:12.8000001907349px">      UDP Sessions Created: 6</span></div>
<div style=""><span style="font-size:12.8000001907349px">      UDP Sessions Deleted: 6</span></div>
<div style=""><span style="font-size:12.8000001907349px">              UDP Timeouts: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">              UDP Discards: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                    Events: 16</span></div>
<div style=""><span style="font-size:12.8000001907349px">           Internal Events: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">           TCP Port Filter</span></div>
<div style=""><span style="font-size:12.8000001907349px">                  Filtered: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                 Inspected: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                   Tracked: 131874</span></div>
<div style=""><span style="font-size:12.8000001907349px">           UDP Port Filter</span></div>
<div style=""><span style="font-size:12.8000001907349px">                  Filtered: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                 Inspected: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">                   Tracked: 6</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">HTTP Inspect - encodings (Note: stream-reassembled packets included):</span></div>
<div style=""><span style="font-size:12.8000001907349px">    POST methods:                         0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    GET methods:                          0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP Request Headers extracted:       0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP Request Cookies extracted:       0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Post parameters extracted:            0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP response Headers extracted:      2         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP Response Cookies extracted:      0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Unicode:                              0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Double unicode:                       0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Non-ASCII representable:              0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Directory traversals:                 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Extra slashes ("//"):                 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Self-referencing paths ("./"):        0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    HTTP Response Gzip packets extracted: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Gzip Compressed Data Processed:       n/a       </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Gzip Decompressed Data Processed:     n/a       </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Total packets processed:              13165     </span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">SMTP Preprocessor Statistics</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total sessions                                    : 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Max concurrent sessions                           : 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">dcerpc2 Preprocessor Statistics</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total sessions: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">SSL Preprocessor:</span></div>
<div style=""><span style="font-size:12.8000001907349px">   SSL packets decoded: 68        </span></div>
<div style=""><span style="font-size:12.8000001907349px">          Client Hello: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">          Server Hello: 2         </span></div>
<div style=""><span style="font-size:12.8000001907349px">           Certificate: 2         </span></div>
<div style=""><span style="font-size:12.8000001907349px">           Server Done: 3         </span></div>
<div style=""><span style="font-size:12.8000001907349px">   Client Key Exchange: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">   Server Key Exchange: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">         Change Cipher: 2         </span></div>
<div style=""><span style="font-size:12.8000001907349px">              Finished: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Client Application: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Server Application: 1         </span></div>
<div style=""><span style="font-size:12.8000001907349px">                 Alert: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Unrecognized records: 64        </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Completed handshakes: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">        Bad handshakes: 0         </span></div>
<div style=""><span style="font-size:12.8000001907349px">      Sessions ignored: 1         </span></div>
<div style=""><span style="font-size:12.8000001907349px">    Detection disabled: 1         </span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">SIP Preprocessor Statistics</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total sessions: 0</span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">File Preprocessor Statistics</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file type callbacks:            2          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file signature callbacks:       1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files would saved to disk:      1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files saved to disk:            1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file data saved to disk:        446       bytes</span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files duplicated:               0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files reserving failed:         0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file capture min:               0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file capture max:               0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file capture memcap:            0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files reading failed:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file agent memcap failures:     0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total files sent:                     0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file data sent:                 0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">  Total file transfer failures:         0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">File type stats:</span></div>
<div style=""><span style="font-size:12.8000001907349px">         Type              Download   (Bytes)      Upload     (Bytes)</span></div>
<div style=""><span style="font-size:12.8000001907349px">         BMP(148)          1          446          0          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">         PDF(288)          1          3057259      0          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">            Total          2          3057705      0          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">File signature stats:</span></div>
<div style=""><span style="font-size:12.8000001907349px">         Type              Download   Upload </span></div>
<div style=""><span style="font-size:12.8000001907349px">         BMP(148)          1          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">            Total          1          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">File type verdicts:</span></div>
<div style=""><span style="font-size:12.8000001907349px">        UNKNOWN:           2          </span></div>
<div style=""><span style="font-size:12.8000001907349px">            LOG:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">           STOP:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">          BLOCK:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">         REJECT:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">        PENDING:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">   STOP CAPTURE:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">          Total:           2          </span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">File signature verdicts:</span></div>
<div style=""><span style="font-size:12.8000001907349px">        UNKNOWN:           1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">            LOG:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">           STOP:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">          BLOCK:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">         REJECT:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">        PENDING:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">   STOP CAPTURE:           0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">          Total:           1          </span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files processed:             2          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files data processed:        3057705   bytes </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files buffered:              2          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files released:              1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files freed:                 1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files captured:              1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total files within one packet:     1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers allocated:           95         </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers freed:               94         </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers released:            1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Maximum file buffers used:         94         </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers free errors:         0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total buffers release errors:      0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total memcap failures:             0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total memcap failures at reserve:  0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total reserve failures:            0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total file capture size min:       0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total file capture size max:       0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total capture max before reserve:  0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Total file signature max:          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Maximum buffers can allocate:      3196       </span></div>
<div style=""><span style="font-size:12.8000001907349px">Number of buffers in use:          0          </span></div>
<div style=""><span style="font-size:12.8000001907349px">Number of buffers in free list:    3195       </span></div>
<div style=""><span style="font-size:12.8000001907349px">Number of buffers in release list: 1          </span></div>
<div style=""><span style="font-size:12.8000001907349px">===============================================================================</span></div>
<div style=""><span style="font-size:12.8000001907349px">Snort exiting</span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">This time the captured files haven't changed:</span></div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px"># ls -lS</span></div>
<div style=""><span style="font-size:12.8000001907349px">-rw------- 1 root root 446 May  8 21:33 8D490C71A27631CF6A476F68C409655CB63BF32C17846A3C3C125A79046DB2C1</span><br>
</div>
<div style=""><span style="font-size:12.8000001907349px"><br>
</span></div>
<div style=""><span style="font-size:12.8000001907349px">Best Regards,</span></div>
<div style=""><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div><span style="font-size:12.8000001907349px">Pablo Cantos</span><br>
</div>
<div><a href="http://redborder.org" target="_blank">redborder.org</a> / <a href="mailto:pcantos@...16842..." target="_blank">
pcantos@...16842...</a></div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2015-05-08 21:49 GMT+02:00 Hui Cao (huica) <span dir="ltr">
<<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>Hi Pablo,</div>
<div><br>
</div>
<div>When listening from interfaces, you have lots of discards. Because file processing relies on data that are reassembled correctly, it won’t be called for those sessions that miss file data.</div>
<div><br>
</div>
<div>In the case of PCAP, no sure why file type is not identified. It is interesting to see 47M file data for only 3326 packets. That is 24K per packet. I guess in this case, it will always hit PAF_MAX for each packet which might set each packet as single PDU(file).
 Can you try this setting?</div>
<div><span style="line-height:20.7900009155273px"><br>
</span></div>
<div><span style="line-height:20.7900009155273px">config paf_max: 60000</span></div>
<div><br>
</div>
<div>Best,</div>
<div>Hui.</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span class=""><span style="font-weight:bold">From: </span>Pablo Cantos Polaino <<a href="mailto:pcantos@...16842..." target="_blank">pcantos@...16842...</a>><br>
</span><span style="font-weight:bold">Date: </span>Friday, May 8, 2015 at 3:29 PM<br>
<span style="font-weight:bold">To: </span>Hui Cao <<a href="mailto:huica@...589..." target="_blank">huica@...589...</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@...5870....net</a>" <<a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [Snort-users] File preprocessor fails to capture files<br>
</div>
<span class="">
<div><br>
</div>
<div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
   IP4 Disc:       122145 ( 49.331%)</div>
<div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
   IP6 Disc:            0 (  0.000%)</div>
<div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
   TCP Disc:            0 (  0.000%)</div>
<div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
   UDP Disc:            0 (  0.000%)</div>
<div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
  ICMP Disc:            0 (  0.000%)</div>
<div style="color:rgb(0,0,0);font-family:Calibri;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">
All Discard:       122145 ( 49.331%)</div>
</span></span>
<div><br>
</div>
<span class="">
<div>
<div style="font-family:Calibri">         TCP Segments Used: 6919</div>
<div style="font-family:Calibri">              TCP Discards: 48</div>
<div style="font-family:Calibri">                  TCP Gaps: 6459</div>
</div>
</span></div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
</body>
</html>