> > Ok, I think I've found the root cause of the problem, but it's strange. > > In ts_print() function in util.c (just for those interested in locating > > the line below in snort source code), there is a line like this: > > > > s = (tvp->tv_sec + localzone) % 86400; > > > > On amd64, this produces random output (not so random, but anyway), which > > is the value of s. To fix this problem, all I have to do is to expand > > that line as follows: > > > > temp = tvp->tv_sec + localzone; > > s = temp % 86400; > > > > Since I felt that this is a very dumb thing to do (and just a work > > around), I suspected the type of s. So I used different types for s, but > > nothing has changed. Also, since I tried -O0 compiler option, I don't > > think it's an optimization problem. > > > > Could somebody explain how this is possible? On amd64 what is it that's > > different from i386 and can cause a problem like this? And what is the > > correct way of fixing it? > > >From a quick look, it seems that it's a problem with struct timeval and > the type of tv_sec. The one in sys/time.h is long (64-bit in that case), > and the one from pcap is defined as a 32-bit int. Mixing the two makes > for strange things like you're seeing...
Just to reiterate, snort/its plugins call ts_print() with an argument pcap_timeval, which has 32-bit tv_sec (uint32_t). ts_print however, works with sys/time.h timeval, which has 64-bit tv_sec (long). On i386 this is no problem of course. One has to carefully trace the actual problem (I have not done that yet) and make the usages consistent.
