tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Patch for libpcap pcap_stats_linux

From: Erik de Castro Lopo <erikd+tcpdump () sensorynetworks com>
Date: Fri, 2 Jan 2004 09:33:31 +1100
Hi all,

I am using libpcap with Snort 2.1.0 and found that Snort on Linux-2.4.20 
was reporting some very odd statistics like:

    Snort analyzed 17 out of 17 packets, dropping 0(0.000%) packets
        
    Breakdown by protocol:                Action Stats:
        TCP: 41196582   (242332848.000%)         ALERTS: 0
        UDP: 321        (1888.235%)         LOGGED: 0

Snort calls pcap_stats() in libpcap to retrieve the statistics. Digging
a little deeper, the problem was that on Linux, pcap_stats calls:
  
    getsockopt(sock, SOL_PACKET, PACKET_STATISTICS, ....

to retrieve the packet statistics. In the Linux kernel the packet 
statistics are zeroed during each retrieval:

    http://lxr.linux.no/source/net/packet/af_packet.c#L1344

In contrast, on FreeBSD, the packet statistics are retrived using 
ioctl(BIOCGSTATS):

    http://snapshots.jp.freebsd.org/tour/current/kernel/S/3064.html#831

which does NOT reset the the counters.

The patch below, adds a static variable to pcap_stats_linux() which 
holds a running total of the packet statistics so that the behaviour
of pcap_stats() on Linux matches the behaviour of FreeBSD.

Regards,
Erik
------------------------------------------------------------------
 diff -u pcap-linux.orig.c pcap-linux.c 
--- pcap-linux.orig.c   2003-12-31 14:53:12.000000000 +1100
+++ pcap-linux.c        2004-01-02 09:32:29.000000000 +1100
@@ -684,6 +684,8 @@
 pcap_stats_linux(pcap_t *handle, struct pcap_stat *stats)
 {
 #ifdef HAVE_TPACKET_STATS
+       static struct tpacket_stats kstats_total = { 0, 0 };
+
        struct tpacket_stats kstats;
        socklen_t len = sizeof (struct tpacket_stats);
 #endif
@@ -718,8 +720,17 @@
                 * "tp_packets" as the count of packets and "tp_drops"
                 * as the count of drops.
                 */
-               handle->md.stat.ps_recv = kstats.tp_packets;
-               handle->md.stat.ps_drop = kstats.tp_drops;
+
+               /*
+                * Keep a running total because each call to 
+                *    getsockopt(handle->fd, SOL_PACKET, PACKET_STATISTICS, ....
+                * resets the counters to zero.
+                */
+               kstats_total.tp_packets += kstats.tp_packets;
+               kstats_total.tp_drops += kstats.tp_drops;
+ 
+               handle->md.stat.ps_recv = kstats_total.tp_packets;
+               handle->md.stat.ps_drop = kstats_total.tp_drops;
        }
        else
        {
------------------------------------------------------------------



-- 
------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo () sensorynetworks com
[W] http://www.sensorynetworks.com
[T] +61 2 83022726 
[F] +61 2 94750316 
[A] L4/140 William St, East Sydney NSW 2011, Australia
------------------------------------------------------
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: