Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: libpcap 0.7.1

From: Phil Wood <cpw () lanl gov>
Date: Tue, 29 Jan 2002 13:44:22 -0700
Looks correct.  My netscape, shift key, reload just didn't hack it
today.  Cleared my cache and things started to work again.

One caveat, the current snort.c incorrectly adds ps_drop to ps_recv to create
a total packets received by the filter.  This is actually MY fault, and I have
notified Marty.  It's actually worse than that.  In particular, here is the
skinny on how libpcap manages the "pcap_stat" structure:

        filter  
OS      applied ps_recv                   ps_drop

linux   before  all packets that passed   packets that passed the filter
                the filter including      but dropped due to lack of buffer
                those that were dropped.  space. 

bsd     after   ALL packets that hit      (Same as linux)
                the network interface     
                before being filtered    
                including packets that
                passed the filter and
                packets that were dropped.

The above synopsis is based on my read of the two files pcap-linux.c and
pcap-bpf.c.

I would very much like to change the way pcap_stats works, but the old
hands are tied due to the "api".  

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: