Snort mailing list archives
Re: DAQ and libpcap 1.1.1 vs 1.0.0
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 8 Nov 2010 14:59:48 -0500
Did you enable debug on your DAQ build (-g -O0)? I don't have --disable-remote (or anything "remote") with libpcap-1.1.1. On Mon, Nov 8, 2010 at 2:55 PM, Russ Combs <rcombs () sourcefire com> wrote:
On Mon, Nov 8, 2010 at 12:35 PM, <vincent () cojot name> wrote:Hi Russ, On my RHEL5.5 system, the following CFLAGS are passed to libpcap's configure: + CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' + ./configure --prefix=/usr/libpcap1 --enable-ipv6 --without-libnl I recompiled without --disable-remote and ran gdb on snort. Running gdb on this build wasn't very informative:Did you build the DAQ with debug support (-g -O0)?(gdb) set args -i eth0 (gdb) r Starting program: /usr/sbin/snort-plain -i eth0 [Thread debugging using libthread_db enabled] Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth0". Program received signal SIGSEGV, Segmentation fault. 0x000000000049feec in pcap_daq_start () (gdb) bt #0 0x000000000049feec in pcap_daq_start () #1 0x0000000000438624 in DAQ_Start () at ../../src/sfdaq.c:414 #2 0x0000000000424bda in SnortMain (argc=3, argv=0x7fffffffe7e8) at ../../src/snort.c:712 #3 0x0000003536e1d994 in __libc_start_main () from /lib64/libc.so.6 #4 0x0000000000404359 in _start () (gdb) b DAQ_Start Breakpoint 1 at 0x438610: file ../../src/sfdaq.c, line 414. (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /usr/sbin/snort-plain -i eth0 [Thread debugging using libthread_db enabled] Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth0". Breakpoint 1, DAQ_Start () at ../../src/sfdaq.c:414 414 int err = daq_start(daq_mod, daq_hand); (gdb) s 413 { (gdb) s 414 int err = daq_start(daq_mod, daq_hand); (gdb) s Program received signal SIGSEGV, Segmentation fault. 0x000000000049feec in pcap_daq_start () (gdb) what daq_mod type = const DAQ_Module_t * (gdb) what daq_hand type = void * (gdb) display daq_hand 1: daq_hand = (void *) 0x156c9c0 (gdb) display daq_mod 2: daq_mod = (const DAQ_Module_t *) 0x4e6000 And in the syslod, I got: snort[24390]: segfault at 0000000000000010 rip 000000000049feec rsp 00007fff03cf30f0 error 4 Perhaps there's a security feature kicking in? On Mon, 8 Nov 2010, vincent () cojot name wrote:Hi Russ, On Mon, 8 Nov 2010, Russ Combs wrote: I don't seem to have a --disable-remote for my libpcap 1.1.1 configure.What exactly does that do?# ./configure --help|grep remot --disable-remote disable remote capture capabilitiesDon't have this in my libpcap-1.1.1.That's all I know. I don't know yet why it causes daq to crash snort when that support is compiled in. libpcap-1.0.0 didn't have these 'remote capture' features (I think). I'm glad you've got a workaround but would like to figure out what theissue is and fix the DAQ if needed.Yes, so would I. Now that I got the binary distribution 'stabilized' enough, I can spend more time trying to figure out why it crashes under RHEL5.5 when 'remote capture' is enabled inside libpcap 1.1.1. Regards, Vincent
------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DAQ and libpcap 1.1.1 vs 1.0.0 Mike Lococo (Nov 05)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 vincent (Nov 06)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 Mike Lococo (Nov 08)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 vincent (Nov 08)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 Russ Combs (Nov 08)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 vincent (Nov 08)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 vincent (Nov 08)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 Russ Combs (Nov 08)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 Russ Combs (Nov 08)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 vincent (Nov 09)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 vincent (Nov 09)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 Mike Lococo (Nov 08)
- Re: DAQ and libpcap 1.1.1 vs 1.0.0 vincent (Nov 06)