Snort mailing list archives

Re: MMAP and odd looking stats

From: Todd Wease <twease () sourcefire com>
Date: Thu, 15 Nov 2007 15:24:20 -0500

Turns out that the MMAP pcap does not accumulate stats, so the 
workaround for now is to change in configure.in:
...
        #include <pcap.h>
        #include <string.h>
        extern char pcap_version[];
        ]],
        [[
           if (strcmp(pcap_version, "0.9.0") < 0)
               return 1;
        ]])],
        [libpcap_version_09="yes"],
        [libpcap_version_09="no"])
...

to

...
        #include <pcap.h>
        #include <string.h>
        extern char pcap_version[];
        ]],
        [[
           if (strcmp(pcap_version, "0.9x") == 0)
               return 1;

           if (strcmp(pcap_version, "0.9.0") < 0)
               return 1;
        ]])],
        [libpcap_version_09="yes"],
        [libpcap_version_09="no"])


This fix to this will be in Snort 2.8.1

Thanks,
Todd


Todd Wease wrote:

Hi John.  It's a 'problem'.  libpcap versions 0.9.1 - 0.9.4 have an
issue in linux of doubling received and dropped stats so we do a couple
of configure checks to determine whether or not the pcap version falls
in this range.  Phil Wood's pcap has a version of '0.9x', so our basic
check is determining that we need to halve the stats that pcaps gives
us.  I'm going to write a bug on this, but don't expect the fix to come
out any time soon.  As a workaround, those compiling snort from source
can change the following in 'configure' and reconfigure and build snort.

Look for this in 'configure':

if (strcmp(pcap_version, "0.9.5") < 0)
               return 1;

Change the 'return 1' to 'return 0'.

I haven't actually tested this, so let us know whether it works or not.
 Thanks, John, for bringing this to our attention.

Todd



John Hally wrote:

Hello all,

I've been playing around with mmap on fedora core6 and things seem to be
working ok, but I noticed that the highlighted % numbers 'Analyzed' and
'Outstanding' are really strange looking.  Any idea if this is a
'problem' or just an anomaly?

Thanks!



Nov  8 12:08:24 sensor snort[9258]: Snort initialization completed
successfully (pid=9258) 
Nov  8 12:08:24 sensor snort[9258]: Using PCAP_FRAMES = 32768 
Nov  8 12:14:53 sensor snort[9258]: *** Caught Term-Signal 
Nov  8 12:14:53 sensor snort[9258]:
========================================================================
======= 
Nov  8 12:14:53 sensor snort[9258]: Packet Wire Totals: 
Nov  8 12:14:53 sensor snort[9258]:    Received:      4718727 
Nov  8 12:14:53 sensor snort[9258]:    Analyzed:      9434571 (199.939%)
Nov  8 12:14:53 sensor snort[9258]:     Dropped:            0 (0.000%) 
Nov  8 12:14:53 sensor snort[9258]: Outstanding: 18446744073704835772
(390926283162913.125%) 
Nov  8 12:14:53 sensor snort[9258]:
========================================================================
=======

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

MMAP and odd looking stats John Hally (Nov 08)
- Re: MMAP and odd looking stats Todd Wease (Nov 08)
  - Re: MMAP and odd looking stats Todd Wease (Nov 15)
    - Any way to do something like "Flowbits, " but for other than a TCP stream? Bachelor, Stephen A CTR USSOCOM HQ (Nov 15)
    - Re: Any way to do something like "Flowbits, " but for other than a TCP stream? M. Shirk (Nov 16)