[Oisf-users] Suricata and pf_ring packet dissection

Fri Sep 13 10:32:02 UTC 2013

On 09/12/2013 07:51 PM, sukbir singh wrote:
> Dear Victor,
>                    If I look into pf_ring one the given snipper if
> pfcount and in it you have this function 
> void dummyProcesssPacket(const struct pfring_pkthdr *h,  const u_char
> *p, const u_char *user_bytes) { and the source-pfring.c have this
> function static inline void PfringProcessPacket(void *user, struct
> pfring_pkthdr *h, Packet *p) { . I dont understand  where and how they
> derive the Packet *p ?. Thx

It's quite simple. We have a loop in which we get a packet and then call
pfring_recv:

        p = PacketGetFromQueueOrAlloc();
        ...
        int r = pfring_recv(ptv->pd, (u_char**)&GET_PKT_DIRECT_DATA(p),
                (u_int)GET_PKT_DIRECT_MAX_SIZE(p),
                &hdr,
                LIBPFRING_WAIT_FOR_INCOMING);

This connects the data to our packet structure. Then we do some more
pfring handling on it:

            PfringProcessPacket(ptv, &hdr, p);

And finally we push our packet struct through the rest of our engine:

            if (TmThreadsSlotProcessPkt(ptv->tv, ptv->slot, p) !=
TM_ECODE_OK) {
                TmqhOutputPacketpool(ptv->tv, p);
                SCReturnInt(TM_ECODE_FAILED);
            }

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------