Snort mailing list archives
Re: Linux & Pcap ... :-(
From: "Paul B. Poh" <paul () paulpoh com>
Date: Wed, 05 Feb 2003 08:00:56 -0500
I did run into this issue a few months ago. I believe that this is actually a linux kernel feature.
For newer 2.4.x (I think) kernels, Libpcap for linux will getsockopt() for PACKET_STATISTICS. In the kernel code, when PACKET_STATISTICS is processed in af_packet.c:packet_getsockopt(), the packet->stats structure is reset.
If you want to hack the kernel, you can try commenting out the line: memset(&sk->protinfo.af_packet->stats, 0, sizeof(st)) in the function packet_getsockopt() in the file af_packet.c .I can't gurantee that this doesn't blow up anything or even work. Use at your own risk :-)
I use a slightly different method to track stats. I actually like the fact that the stats are reset. Because then I can get interval information. (ie packets processes per x time interval).
Kevin Peuhkurinen wrote:
So I'm trying to make up a script that will show my bosses the daily stats dump resulting from a SIGUSR1 to Snort. Unfortunately, it appears that when Snort calls libpcap to get the its stats, libpcap thereafter resets them to zero. So, the next time I do a SIGUSR1, the 'breakdown by protocol' shows > 100% because Snort keeps track of the individual protocol stats but gets the percentage based on the numbers provided by libpcap.While this is clearly not necessarily a Snort problem since it only seems that the Linux version of libpcap behaves this way, it is equally obvious that this will not endear my choice of IDS to my bosses who are mickle suspicious of any software that does arrive with a license that grants the manufacturer exclusive access to the user's first born offspring while costing many thousands of dollarsDoes anyone have an solution for this - preferably a means to modify libpcap's behaviour and have it not reset the stats? If not, I'll just mess around with the Snort source and probably just take out the percentage displays.Thanks, Kevin ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Linux & Pcap ... :-( Kevin Peuhkurinen (Feb 04)
- Re: Linux & Pcap ... :-( Paul B. Poh (Feb 05)
- Re: Linux & Pcap ... :-( Lawrence Reed (Feb 05)
- Re: Linux & Pcap ... :-( Paul B. Poh (Feb 05)
- Re: Linux & Pcap ... :-( Lawrence Reed (Feb 05)
- Re: Linux & Pcap ... :-( Paul B. Poh (Feb 05)