Snort mailing list archives
pcap logging in inline mode broken?
From: Florian Westphal <fwestphal () astaro com>
Date: Thu, 29 Oct 2009 11:38:29 +0100
Disclaimer: I am seeing this on a patched snort (nfqueue support) 2.8.5/2.8.5.1; I did not try to reproduce this with the vanilla sources. When running in inline mode and with "-k pcap", data gets written to the pcap file, but tcpdump misinterprets its contents -- the pcap_handle has not been opened with DLT_RAW, even though inline.c:InitInline() does that. It works fine when snort is run without -D flag.
From looking at vanilla snort.c source (2.8.5.1), I think this is whats happening:
int SnortMain(int argc, char *argv[]) { [..] SnortInit(argc, argv); // Calls InitInline() -> opens pcap_handle in _RAW mode if (ScDaemonMode()) { /* Test pcap open if daemonizing so that we FatalError before * daemonizing if pcap cannot be opened. */ InitPcap(1); if (pcap_handle != NULL) // Zaps _RAW pcap_handle <----- HERE { pcap_close(pcap_handle); pcap_handle = NULL; } printf("pcap_handle before GoDaemon\n", pcap_handle); GoDaemon(); } ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- pcap logging in inline mode broken? Florian Westphal (Oct 29)