[Oisf-devel] Why sometime p->pcap_cnt value is 0?
Victor Julien
victor at inliniac.net
Mon Dec 10 09:38:41 UTC 2012
On 12/07/2012 02:15 PM, iswalker wrote:
> hi,when I run suricata in pcap-file mode,and use fast and unified2
> output plugins,I want to know which packet in pcap-file triggered
> signature,so I print p->pcap_cnt, I found some value is 0,I don't know
> in which condition the value is set to zero ?
> I know if event generated by single packet,the p->pcap_cnt is valid,if
> event generated by ip fragment or tcp stream,p->pcap_cnt is useless, Can
> someone know where the codes set p->pcap_cnt to zero?
In some cases we create fake packets internal to the engine to trigger
clean up and final processing. Mostly on flows timing out. As these fake
packets do not relate to packets in a pcap file, their pcap_cnt is 0.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list