[Oisf-users] Suricata and pf_ring packet dissection

Victor Julien lists at inliniac.net
Fri Sep 13 10:32:02 UTC 2013

On 09/12/2013 07:51 PM, sukbir singh wrote:
> Dear Victor,
>                    If I look into pf_ring one the given snipper if
> pfcount and in it you have this function 
> void dummyProcesssPacket(const struct pfring_pkthdr *h,  const u_char
> *p, const u_char *user_bytes) { and the source-pfring.c have this
> function static inline void PfringProcessPacket(void *user, struct
> pfring_pkthdr *h, Packet *p) { . I dont understand  where and how they
> derive the Packet *p ?. Thx

It's quite simple. We have a loop in which we get a packet and then call

        p = PacketGetFromQueueOrAlloc();
        int r = pfring_recv(ptv->pd, (u_char**)&GET_PKT_DIRECT_DATA(p),

This connects the data to our packet structure. Then we do some more
pfring handling on it:

            PfringProcessPacket(ptv, &hdr, p);

And finally we push our packet struct through the rest of our engine:

            if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) !=
                TmqhOutputPacketpool(ptv->tv, p);


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list