Re: Libpcap and 'ip-address-less' interfaces...

[Fyodor <fygrave () tigerteam net>]

I think it is actually a legimate warning message:


    if(pcap_lookupnet(pv.interfaces[num], &localnet, &netmask, errorbuf) < 0)
    {
       if (!pv.readmode_flag)
       {
            ErrorMessage("WARNING: OpenPcap() device %s network "
                    "lookup: \n\t%s\n", PRINT_INTERFACE(pv.interfaces[num]), errorbuf);
       }
        /*
         * set the default netmask to 255.255.255.0 (for stealthed
         * interfaces)
         */
        netmask = htonl(defaultnet);
    }

Which makes sense, no ip address on an interface, no netmask. The only
thing which you'll have affected in this case is INTERFACE_<ifnum>
variable setting in snort.conf. (the variable will not be set).

On Wed, Dec 05, 2001 at 10:04:15AM -0500, Joshua Wright wrote:
> The folks at RedHat did some strange things with libpcap to include the
> device name in the dump records.  See Dave Dittrich's rant in his SSH CRC32
> exploit analysis at
> http://staff.washington.edu/dittrich/misc/ssh-analysis.txt (rougly halfway
> through the document in the "Network Traffic" section).
>
> I recommend downloading a clean libpcap distro and recompiling a static
> snort binary using the extracted libpcap tarball.
>
> Let us know how you make out.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users