RE: SNORT DROPPING PACKETS

["Crow, Owen" <Owen_Crow () bmc com>]

> -----Original Message-----
> From: Phil Wood [mailto:cpw () lanl gov]
> Sent: Wednesday, January 02, 2002 6:35 PM
> To: Crow, Owen
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] SNORT DROPPING PACKETS
[snip]
> I'd like to help, but this first cut will be quick:

If this is a quick reply, let me know which publisher handles your
in-depth replies :).

>   1. It looks like freebsd system call does not clear kernel stats
>      whereas the linux one does.  I could modify this behavior, but
>      don't know which api I prefer.  I kind of like the clear
>      behavior, cause it means I could run a program for a long time
>      and never get a wrap,
>      and let the application do really long arithmetic.

I guess a choice would be the best.  I'm not much of a programmer, but
isn't arithmetic just as costly regardless of the numbers since the same
type of variable is used (I assume long int?)  Of course it will
eventually roll-over.  I suppose there's a division in there that might
be quicker for smaller numbers...

>   2. Are the FreeBSD and Linux runs concurrent with a USR1 every N
>      seconds? cause the differences are monumental.

Yes the intervals are the same, but they are not sniffing the same
network.  Currently FreeBSD is sniffing from the fire hose, while the
Linux box is just sitting on my switched corporate network.

>   3. I'd make sure and run the tests with no filter as in "".

Done:
Linux: snort -c /etc/snort/snort.conf -l /var/log/snort -u snort -g snort
FreeBSD: /usr/local/bin/snort -c /etc/snort/snort.conf -l /var/log/snort -u
snort -g snort -i xl0

>   4. I've run into problems when building different versions related
>      to re running the configure program each time to make sure that
>      the proper pcap includes and libraries are applied.  This is
>      especially true with shared libs.

This was a fresh install of RH7.2 with no libpcap installed.  The first
one installed was 2002.01.02 and I verified that there are no stray
libpcap* files using `find / -name "libpcap*" -ls`:
165554  148 -rw-r--r--   1 root     root       144780 Jan  2 08:56
/usr/local/lib/libpcap.a
 65846  195 -rw-r--r--   1 root     root       197778 Jan  2 04:05
/root/src/libpcap-current.tar.gz
 22648    2 drwxrwxr-x   8 179      305          2048 Jan  2 08:56
/root/src/libpcap-2002.01.02
 22735  143 -rw-r--r--   1 root     root       144780 Jan  2 08:56
/root/src/libpcap-2002.01.02/libpcap.a
 78204  177 -rw-r--r--   1 1001     1001       180104 Sep  5 15:32
/root/src/snort-1.8.3/win32/WIN32-Libraries/libpcap.lib

>   5. I've run a tcpdump with basically the libpcap changes indicated
>      in my previous message and compared the results with the actual
>      interface statitistics provided by /proc/net/dev.  Usually, I'm
>      off by a small delta of packets due to the fact that I'm doing a
>      cat /proc/net/dev before and after, like so:

[snip]

>     This will show the actual # of packets "in + out" on the
>     inter[face] in question during the tcpdump run.  (which is why I
>     mention to use an "all packets" filter.)

Output: /proc/net/dev:eth1 saw 10009 packets.
So that looks OK.

>   6. As for a patch, I was premature to release a pointer to my
>      modified libpcap.  I've got an issue (totally bogus stats!) which
>      only happens on one system.  I'm thinking I have a disk going 
>      south, but little evidence yet.  Until I know for sure, I'm 
>      holding back on any sharing of beta code.
[snip]
I'm all for testing once it's stable for you...

[snip]
> Ah, the daily is the current release from tcpdump.
>
> Well, if /usr/include/linux/if_packet.h has PACKET_STATISTICS and you
> have chosen the correct options when building the kernel, you
> might get the attached patch to work.
>
> Let me know how it goes.

I'll try that this afternoon.

Thanks for all your help!

Owen

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users