Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The detect function

From: Russ Combs <rcombs () sourcefire com>
Date: Wed, 2 Jan 2013 13:33:20 -0500
Suggest looking at your packet(s) in something like wireshark to see what
the encapsulations are.  In wireshark, open the "Frame" to view "Protocols
in frame".  You may see something like "eth:vlan:ip:tcp:http" or
"eth:ip:gre:ppp:ip:tcp:http".  That latter has GRE (you can google that)
and requires that Snort be built with GRE support (enabled by default).
Please send a pcap if that doesn't get you moving.

On Tue, Dec 18, 2012 at 4:57 AM, Shimrit Tzur <shimritd () gmail com> wrote:


I can see now that I'm getting into the ifdef GRE in the function and this
is the reason that it returns.
Can someone explain me why? what is this gre? the input contains http or
tcp packets.
Thanks!


On Tue, Dec 18, 2012 at 9:39 AM, Shimrit Tzur <shimritd () gmail com> wrote:


Hello all,
I know Snort for a while but new in developing it.
I'm trying to trace the function flow of a standard http packet.
I notice that in the detect function of (detect.c) there is a switch-case
statement on "p->outer_family" where the options are AF_INET and AF_INET6.
In my case the value is 0 so the program goes to the default option which
simply returns so the fpEvalPacket isn't called.

My question is what is the meaning of this outer_family field of the
packet and why it is 0?

Thanks a lot,
Shimrit





------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: