Linux & Pcap ... :-(

[Kevin Peuhkurinen <kevin.peuhkurinen () hepcoe com>]

So I'm trying to make up a script that will show my bosses the daily 
stats dump resulting from a SIGUSR1 to Snort.   Unfortunately, it 
appears that when Snort calls libpcap to get the its stats, libpcap 
thereafter resets them to zero.   So, the next time I do a SIGUSR1, the 
'breakdown by protocol' shows > 100% because Snort keeps track of the 
individual protocol stats but gets the percentage based on the numbers 
provided by libpcap.

While this is clearly not necessarily a Snort problem since it only 
seems that the Linux version of libpcap behaves this way, it is equally 
obvious that  this will not endear my choice of IDS to my bosses who are 
mickle suspicious of any software that does arrive with a license that 
grants the manufacturer exclusive access to the user's first born 
offspring while costing many  thousands of dollars

Does anyone have an solution for this - preferably a means to modify 
libpcap's behaviour and have it not reset the stats?   If not, I'll just 
mess around with the Snort source and probably just take out the 
percentage displays.

Thanks,
Kevin




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users