Snort mailing list archives
Re: MMAP and odd looking stats
From: Todd Wease <twease () sourcefire com>
Date: Thu, 08 Nov 2007 13:55:28 -0500
Hi John. It's a 'problem'. libpcap versions 0.9.1 - 0.9.4 have an
issue in linux of doubling received and dropped stats so we do a couple
of configure checks to determine whether or not the pcap version falls
in this range. Phil Wood's pcap has a version of '0.9x', so our basic
check is determining that we need to halve the stats that pcaps gives
us. I'm going to write a bug on this, but don't expect the fix to come
out any time soon. As a workaround, those compiling snort from source
can change the following in 'configure' and reconfigure and build snort.
Look for this in 'configure':
if (strcmp(pcap_version, "0.9.5") < 0)
return 1;
Change the 'return 1' to 'return 0'.
I haven't actually tested this, so let us know whether it works or not.
Thanks, John, for bringing this to our attention.
Todd
John Hally wrote:
Hello all, I've been playing around with mmap on fedora core6 and things seem to be working ok, but I noticed that the highlighted % numbers 'Analyzed' and 'Outstanding' are really strange looking. Any idea if this is a 'problem' or just an anomaly? Thanks! Nov 8 12:08:24 sensor snort[9258]: Snort initialization completed successfully (pid=9258) Nov 8 12:08:24 sensor snort[9258]: Using PCAP_FRAMES = 32768 Nov 8 12:14:53 sensor snort[9258]: *** Caught Term-Signal Nov 8 12:14:53 sensor snort[9258]: ======================================================================== ======= Nov 8 12:14:53 sensor snort[9258]: Packet Wire Totals: Nov 8 12:14:53 sensor snort[9258]: Received: 4718727 Nov 8 12:14:53 sensor snort[9258]: Analyzed: 9434571 (199.939%) Nov 8 12:14:53 sensor snort[9258]: Dropped: 0 (0.000%) Nov 8 12:14:53 sensor snort[9258]: Outstanding: 18446744073704835772 (390926283162913.125%) Nov 8 12:14:53 sensor snort[9258]: ======================================================================== ======= ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- MMAP and odd looking stats John Hally (Nov 08)
- Re: MMAP and odd looking stats Todd Wease (Nov 08)
- Re: MMAP and odd looking stats Todd Wease (Nov 15)
- Any way to do something like "Flowbits, " but for other than a TCP stream? Bachelor, Stephen A CTR USSOCOM HQ (Nov 15)
- Re: Any way to do something like "Flowbits, " but for other than a TCP stream? M. Shirk (Nov 16)
- Re: MMAP and odd looking stats Todd Wease (Nov 15)
- Re: MMAP and odd looking stats Todd Wease (Nov 08)