[Tomahawk-devs] Match failures due to ethernet trailers?
Brought to you by:
bsmith1180,
dkolbly
Menu
▾
▴
[Tomahawk-devs] Match failures due to ethernet trailers?
|
From: cdb <cd...@ev...> - 2004-11-18 15:00:20
|
Anyone notice a problem with spurious match failures on short packets due to comparison of the ethernet trailer? I was running test.pcap through a linux VM in VMware running snort_inline. The packets were running out eth0, through the bridge, and arriving on eth1 but were not counted as having arrived by tomahawk. The received counter printed by tomahawk at the end of the run was incremented, but the behavior of tomahawk was as if they never arrived. A little investigation showed that the failure was due to a failed match in PacketEquals, with a difference at the very end of the data. I added a small hack to PacketEqual to write out b1 and b2 in pcap format to better see the reason for the match failures. In the PCAP, the packets are in groups of two, representing the contents of b1 and b2 respectively. Notice the difference is in the trailer. In the final memcmp, should the comparison length be min(iph->tot_len, len)? That patch works for me. Is the correct approach or something wrong with this test case? |
