Snort mailing list archives
Re: Snort processes more packets than in pcap?
From: danjobkeule <danjobkeule () web de>
Date: Mon, 14 Dec 2009 15:03:20 +0100
Hi, i'm using snort-2.8.3.1. Here is the link to the pcap: http://uploaded.to/file/la8d4t Danjobkeule
Hi, what's snort version you use please? maybe send pcap to list ? Regards Rmkml Crusoe-Researches.com On Wed, 9 Dec 2009, danjobkeule wrote:dear community, i am wondering about snort processing 3 packets, although in the pcap i feed snort with are just 2 packets (both are SMB packets). How can that be? I assume that some preprocessors "generate" a new packet, but could anybody give an explanation for that? =============================================================================== Snort processed 3 packets. =============================================================================== Breakdown by protocol (includes rebuilt packets): ETH: 3 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 3 (100.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 2 (66.667%) UDP: 0 (0.000%) ICMP: 0 (0.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 1 (33.333%) Total: 3 =============================================================================== Action Stats: ALERTS: 1 LOGGED: 1 PASSED: 0 =============================================================================== Stream5 statistics: Total sessions: 1 TCP sessions: 1 UDP sessions: 0 ICMP sessions: 0 TCP Prunes: 0 UDP Prunes: 0 ICMP Prunes: 0 TCP StreamTrackers Created: 1 TCP StreamTrackers Deleted: 1 TCP Timeouts: 0 TCP Overlaps: 0 TCP Segments Queued: 1 TCP Segments Released: 1 TCP Rebuilt Packets: 1 TCP Segments Used: 1 TCP Discards: 0 UDP Sessions Created: 0 UDP Sessions Deleted: 0 UDP Timeouts: 0 UDP Discards: 0 Events: 0 =============================================================================== HTTP Inspect - encodings (Note: stream-reassembled packets included): POST methods: 0 GET methods: 0 Headers extracted: 0 Header Cookies extracted: 0 Post parameters extracted: 0 Unicode: 0 Double unicode: 0 Non-ASCII representable: 0 Base 36: 0 Directory traversals: 0 Extra slashes ("//"): 0 Self-referencing paths ("./"): 0 Total packets processed: 3 =============================================================================== =============================================================================== Snort exiting ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Snort processes more packets than in pcap? danjobkeule (Dec 09)
- Message not available
- Re: Snort processes more packets than in pcap? danjobkeule (Dec 14)
- Re: Snort processes more packets than in pcap? Todd Wease (Dec 14)
- Re: Snort processes more packets than in pcap? Russ Combs (Dec 14)
- Re: Snort processes more packets than in pcap? Joel Esler (Dec 14)
- Re: Snort processes more packets than in pcap? danjobkeule (Dec 14)
- Message not available