Snort mailing list archives
Re: Libpcap and 'ip-address-less' interfaces...
From: Fyodor <fygrave () tigerteam net>
Date: Thu, 6 Dec 2001 00:19:30 +0700
I think it is actually a legimate warning message: if(pcap_lookupnet(pv.interfaces[num], &localnet, &netmask, errorbuf) < 0) { if (!pv.readmode_flag) { ErrorMessage("WARNING: OpenPcap() device %s network " "lookup: \n\t%s\n", PRINT_INTERFACE(pv.interfaces[num]), errorbuf); } /* * set the default netmask to 255.255.255.0 (for stealthed * interfaces) */ netmask = htonl(defaultnet); } Which makes sense, no ip address on an interface, no netmask. The only thing which you'll have affected in this case is INTERFACE_<ifnum> variable setting in snort.conf. (the variable will not be set). On Wed, Dec 05, 2001 at 10:04:15AM -0500, Joshua Wright wrote:
The folks at RedHat did some strange things with libpcap to include the device name in the dump records. See Dave Dittrich's rant in his SSH CRC32 exploit analysis at http://staff.washington.edu/dittrich/misc/ssh-analysis.txt (rougly halfway through the document in the "Network Traffic" section). I recommend downloading a clean libpcap distro and recompiling a static snort binary using the extracted libpcap tarball. Let us know how you make out.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Libpcap and 'ip-address-less' interfaces... Peter Bates (Dec 05)
- <Possible follow-ups>
- RE: Libpcap and 'ip-address-less' interfaces... Joshua Wright (Dec 05)
- Re: Libpcap and 'ip-address-less' interfaces... Fyodor (Dec 05)
- RE: Libpcap and 'ip-address-less' interfaces... Michael Aylor (Dec 05)