Snort mailing list archives
RE: SNORT DROPPING PACKETS
From: "Crow, Owen" <Owen_Crow () bmc com>
Date: Thu, 3 Jan 2002 11:37:01 -0600
-----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Wednesday, January 02, 2002 6:35 PM To: Crow, Owen Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] SNORT DROPPING PACKETS
[snip]
I'd like to help, but this first cut will be quick:
If this is a quick reply, let me know which publisher handles your in-depth replies :).
1. It looks like freebsd system call does not clear kernel stats whereas the linux one does. I could modify this behavior, but don't know which api I prefer. I kind of like the clear behavior, cause it means I could run a program for a long time and never get a wrap, and let the application do really long arithmetic.
I guess a choice would be the best. I'm not much of a programmer, but isn't arithmetic just as costly regardless of the numbers since the same type of variable is used (I assume long int?) Of course it will eventually roll-over. I suppose there's a division in there that might be quicker for smaller numbers...
2. Are the FreeBSD and Linux runs concurrent with a USR1 every N seconds? cause the differences are monumental.
Yes the intervals are the same, but they are not sniffing the same network. Currently FreeBSD is sniffing from the fire hose, while the Linux box is just sitting on my switched corporate network.
3. I'd make sure and run the tests with no filter as in "".
Done: Linux: snort -c /etc/snort/snort.conf -l /var/log/snort -u snort -g snort FreeBSD: /usr/local/bin/snort -c /etc/snort/snort.conf -l /var/log/snort -u snort -g snort -i xl0
4. I've run into problems when building different versions related to re running the configure program each time to make sure that the proper pcap includes and libraries are applied. This is especially true with shared libs.
This was a fresh install of RH7.2 with no libpcap installed. The first one installed was 2002.01.02 and I verified that there are no stray libpcap* files using `find / -name "libpcap*" -ls`: 165554 148 -rw-r--r-- 1 root root 144780 Jan 2 08:56 /usr/local/lib/libpcap.a 65846 195 -rw-r--r-- 1 root root 197778 Jan 2 04:05 /root/src/libpcap-current.tar.gz 22648 2 drwxrwxr-x 8 179 305 2048 Jan 2 08:56 /root/src/libpcap-2002.01.02 22735 143 -rw-r--r-- 1 root root 144780 Jan 2 08:56 /root/src/libpcap-2002.01.02/libpcap.a 78204 177 -rw-r--r-- 1 1001 1001 180104 Sep 5 15:32 /root/src/snort-1.8.3/win32/WIN32-Libraries/libpcap.lib
5. I've run a tcpdump with basically the libpcap changes indicated in my previous message and compared the results with the actual interface statitistics provided by /proc/net/dev. Usually, I'm off by a small delta of packets due to the fact that I'm doing a cat /proc/net/dev before and after, like so:
[snip]
This will show the actual # of packets "in + out" on the inter[face] in question during the tcpdump run. (which is why I mention to use an "all packets" filter.)
Output: /proc/net/dev:eth1 saw 10009 packets. So that looks OK.
6. As for a patch, I was premature to release a pointer to my modified libpcap. I've got an issue (totally bogus stats!) which only happens on one system. I'm thinking I have a disk going south, but little evidence yet. Until I know for sure, I'm holding back on any sharing of beta code.
[snip] I'm all for testing once it's stable for you... [snip]
Ah, the daily is the current release from tcpdump. Well, if /usr/include/linux/if_packet.h has PACKET_STATISTICS and you have chosen the correct options when building the kernel, you might get the attached patch to work. Let me know how it goes.
I'll try that this afternoon. Thanks for all your help! Owen _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: SNORT DROPPING PACKETS Phil Wood (Jan 02)
- <Possible follow-ups>
- RE: SNORT DROPPING PACKETS Crow, Owen (Jan 03)
- RE: SNORT DROPPING PACKETS Crow, Owen (Jan 03)