Snort mailing list archives
Re: Counting Packets Per Second "PCAP ISSUE"
From: Amtul Saboor <saboor.amtul () gmail com>
Date: Thu, 26 Jun 2014 09:56:27 +0500
I m running snort in linux backtrack , i installed latest version of snort and i m trying to make a dynamic preprocessor by modifying sample dpx.c file of dpx ( example preprocessor) I am trying to count unique source ips arriving pr second . I also want to do this with more gap of intervals , i mean i want to count unique source ips for every fourth second. I hv to put the above countd values of two consecutive intervals in a formula then . e.g. i will count for 1st second and then for 4th second . And use the values in a formula then .i also hv to keep all ip addresses of both intervals in a buffer . ( Ignoring the packets of 2nd n 3rd interval ). And likewise ill do this for 8th n 11 th second , ignoring packets from 9th n 10th second . But i m unable to grab time in seconds . Also i m confused if the pcap will ignore the packets arriving in the in between (that i want to ignore) intervals or not . Thanks alot for ur time Regards On Jun 26, 2014 6:49 AM, "Ed Borgoyn (eborgoyn)" <eborgoyn () cisco com> wrote:
Amtul, I'm not exactly sure what you are trying to accomplish. Nor what platform (i.e. OS) you are running on. But some platforms provide a 'high resolution' timer. This might be a 64 bit counter with sub-millisecond resolution. Generally the OS simply reads a H/W timer and gives it to the application without significant overhead. In other words, the time value read is very accurate. Can you describe in more detail what you want to build? Ed The Snort Team From: Amtul Saboor <saboor.amtul () gmail com> Date: Wednesday, June 25, 2014 4:09 PM To: "<snort-devel () lists sourceforge net>" < snort-devel () lists sourceforge net> Subject: [Snort-devel] Counting Packets Per Second "PCAP ISSUE" Hello I am making changes in dpx preprocessor. Well the main issue I am facing is that I need to calculate packets per second and then use the count in a formula, but the "per second" thing is causing trouble for me. Apparently PCAP does not keep a record of "per second" packets. I have used time function and calculating diff between curr time and previous time (in seconds) and using if condition trying to grab packets but the interval is not smooth . I am unable to get correct packet count. Please suggest what can be done Thanks alot --
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Counting Packets Per Second "PCAP ISSUE" Amtul Saboor (Jun 25)
- Message not available
- Re: Counting Packets Per Second "PCAP ISSUE" Amtul Saboor (Jun 25)
- Message not available