Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ethereal 0.9.8 can't read tcpdump.log.XXXX

From: Christian Bock <Christian.Bock () liz lsa-net de>
Date: Fri, 10 Jan 2003 11:23:24 +0100
the problem of unreadable file was that two instances of snort where running,
when only one is running everything is fine

the problem of the deleted dump does not occure when running snort via
command line, but when stopping via webmin. ( have now to figure out 
that one ... )

Am Donnerstag, 9. Januar 2003 19:13 schrieb Erek Adams:

On Thu, 9 Jan 2003, Christian Bock wrote:

ethereal says that the tcpdump.file is in no format it can understand,
but tcpdump can read it. When "converting" the file with tcpdump,
( read it and write to another file ) ethereal can understand that file.
Are there known troubles concerning this?
Another question is how to safe the dumpfile, because for some
reason the file is deleted when snort is stopped. ( is that the "normal"
behaviour ? ) ... I would like to keep and analyze that file even when
snort is stopped for some reason


Ok, somethings not normal with your setup.  I'm able to start Snort, run
it, stop it, and read the dump with tcpdump or ethereal.

I'd hazard a guess that you have an older libpcap version.  IIRC, 3.7.1 is
the most current version of tcpdump and 0.7.1 is the most current version
of libpcap.  You might want to check that one or both of those isn't
outdated.

As for Snort deleting it's logfiles, nothing that I can see in the code
does that.  What is the version of Snort you are running?  And if Snort
stops and deletes the file, how can you run tcpdump/ethereal over the pcap
file?  Something just isn't right--We've got a lot of users and I don't
ever recall someone having the pcap deleted when Snort exits.  How are you
running Snort?  Command line or thru a script?

I'm not saying you are crazy, I'm just saying something doesn't fit.  :)

Cheers!

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson




-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: