'Re: [Snort-devel] perfmon pp and libpcap-0.9.5 (LINUX)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    Re: [Snort-devel] perfmon pp and libpcap-0.9.5 (LINUX)
From:       Steven Sturges <steve.sturges () sourcefire ! com>
Date:       2007-06-21 15:54:01
Message-ID: 467A9F19.60304 () sourcefire ! com
[Download RAW message or body]

Thanks, Benjamin.

Does anyone know specifically when the change occured -- what
version of pcap was the last to use the old (0.8.3) style?

This sounds like a good candidate to go into the FAQ.
We can look into adding changes to perfmon and DropStats()
(in util.c if necessary) to do the correct thing based on the
pcap version.

Cheers.
-steve

Benjamin Small wrote:
> Hello,
> 
> I wanted to make the community aware of a discovery I made
> In libpcap 0.9.5 vs libpcap 0.8.3 and how it effects the perfmonitor
> preprocessor. In the newer version, pcap_stats keeps a running
> count of packets received and dropped. I briefly did a look over and
> I think I have found the reason.
> 
> The relevant lines are in pcap-linux.c:
> 
> - libpcap-0.8.3
> 852:handle->md.stat.ps_recv = kstats.tp_packets;
> 853:handle->md.stat.ps_drop = kstats.tp_drops;
> 
> - libpcap-0.9.5
> 721:handle->md.stat.ps_recv += kstats.tp_packets;
> 722:handle->md.stat.ps_drop += kstats.tp_drops;
> 
> This behavior seems to effect the perfmonitor preprocessor, causing
> counts to never reset, only accumulate. The perfmonitor preprocessor uses
> these counts to either add or "reset" its own count to the numbers of these
> variables. If I get time, I'll write a patch (as well as delve further into
> confirming this, specifically, is the problem). I identified this as the
> problem
> from research starting in GetPktDropStats in perf-base.c
> 
> Regards,
> Benjamin
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic