Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort processes more packets than in pcap?

From: danjobkeule <danjobkeule () web de>
Date: Wed, 09 Dec 2009 17:04:46 +0100
dear community,

i am wondering about snort processing 3 packets, although in the pcap i 
feed snort with are just 2 packets (both are SMB packets).
How can that be? I assume that some preprocessors "generate" a new 
packet, but could anybody give an explanation for that?



 
===============================================================================        

Snort processed 3 
packets.                                                            
===============================================================================        

Breakdown by protocol (includes rebuilt 
packets):                                     
      ETH: 3          
(100.000%)                                                      
  ETHdisc: 0          
(0.000%)                                                        
     VLAN: 0          
(0.000%)                                                        
     IPV6: 0          
(0.000%)                                                        
  IP6 EXT: 0          
(0.000%)                                                        
  IP6opts: 0          
(0.000%)                                                        
  IP6disc: 0          
(0.000%)                                                        
      IP4: 3          
(100.000%)                                                      
  IP4disc: 0          
(0.000%)                                                        
    TCP 6: 0          
(0.000%)                                                        
    UDP 6: 0          
(0.000%)                                                        
    ICMP6: 0          
(0.000%)                                                        
  ICMP-IP: 0          
(0.000%)                                                        
      TCP: 2          
(66.667%)                                                       
      UDP: 0          
(0.000%)                                                        
     ICMP: 0          
(0.000%)                                                        
  TCPdisc: 0          
(0.000%)                                                        
  UDPdisc: 0          
(0.000%)                                                        
  ICMPdis: 0          
(0.000%)                                                        
     FRAG: 0          
(0.000%)                                                        
   FRAG 6: 0          
(0.000%)                                                        
      ARP: 0          
(0.000%)                                                        
    EAPOL: 0          
(0.000%)                                                        
  ETHLOOP: 0          
(0.000%)                                                        
      IPX: 0          
(0.000%)                                                        
    OTHER: 0          
(0.000%)                                                        
  DISCARD: 0          
(0.000%)                                                        
InvChkSum: 0          
(0.000%)                                                        
   S5 G 1: 0          
(0.000%)                                                        
   S5 G 2: 1          
(33.333%)                                                       
    Total: 
3                                                                          
===============================================================================        

Action 
Stats:                                                                          

ALERTS: 
1                                                                              

LOGGED: 
1                                                                              

PASSED: 
0                                                                              

===============================================================================
Stream5 statistics:
            Total sessions: 1
              TCP sessions: 1
              UDP sessions: 0
             ICMP sessions: 0
                TCP Prunes: 0
                UDP Prunes: 0
               ICMP Prunes: 0
TCP StreamTrackers Created: 1
TCP StreamTrackers Deleted: 1
              TCP Timeouts: 0
              TCP Overlaps: 0
       TCP Segments Queued: 1
     TCP Segments Released: 1
       TCP Rebuilt Packets: 1
         TCP Segments Used: 1
              TCP Discards: 0
      UDP Sessions Created: 0
      UDP Sessions Deleted: 0
              UDP Timeouts: 0
              UDP Discards: 0
                    Events: 0
===============================================================================
HTTP Inspect - encodings (Note: stream-reassembled packets included):
    POST methods:                   0
    GET methods:                    0
    Headers extracted:              0
    Header Cookies extracted:       0
    Post parameters extracted:      0
    Unicode:                        0
    Double unicode:                 0
    Non-ASCII representable:        0
    Base 36:                        0
    Directory traversals:           0
    Extra slashes ("//"):           0
    Self-referencing paths ("./"):  0
    Total packets processed:        3
===============================================================================
===============================================================================
Snort exiting

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: