Snort mailing list archives
RE: Buffer too small for packet.dll? (was: Error i nitializing NIC)
From: Reinhard Doberstein <r.doberstein () typoart de>
Date: Thu, 25 Apr 2002 12:00:42 +0200
Hi John, sounds very interesting. Btw. there is a Bugreport about this, ist Number 543346 [http://sourceforge.net/tracker/index.php?func=detail&aid=543346&group_id=33 57&atid=103357]. By Reinhard -- Reinhard Doberstein mailto:r.doberstein () gmx de http://www.doberstein.com
-----Original Message----- From: John Goggan [mailto:jgoggan () dcg com] Sent: Thursday, April 25, 2002 7:07 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Buffer too small for packet.dll? (was: Error initializing NIC) Reinhard Doberstein wrote:With "snort -W" i got: -*> Snort! <*- Version 1.8-WIN32 (Build 103) By Martin Roesch (<EMAIL: PROTECTED>, http://www.snort.org) 1.7-WIN32 Port By Michael Davis (<EMAIL: PROTECTED>, http://www.datanerds.net/~mike) 1.8-WIN32 Port By Chris Reid (<EMAIL: PROTECTED>) (based on code from 1.7 port) Interface Device Description ------------------------------------------- 1 ................................................................. so i got nothing by Device or Description. And that happend on all machines. I think this is the problem.I am having this same problem on 2 out of 3 of my Win2000 machines. After looking over the sourcecode for a while, I've discovered that it is some type of problem with the length of BufferSize passed to PacketGetAdapterNames, I believe. Note that I'm brand-new to the Win32 version of snort as of a few hours ago, so please excuse any ignorance... Basically, if you drop in a debug (with _DEBUG_TO_FILE) version of packet.dll, you will get output similar to this when doing a "snort -W" to display interfaces (when I get the empty interface list as shown above): ************Packet32: DllMain************ PacketGetAdapterNames: BufferSize=1024 Need 1246 bytes for the names PacketGetAdapterNames: GlobalAlloc Failed As you can see, the BufferSize is 1024, but I need 1246 bytes for the interface list. Therefore, things fail... The question is -- why don't I have a big enough buffer? :) I don't see where this is set at all with the Packet.dll version of things. If I look at the Wpcap.dll code, I see that a buffer of size 8192 is set and passed into PacketGetAdapterNames (from within pcap_lookupdev). This is why everything works fine when WinDump is used to show the interfaces -- since WinDump appears to use the Wpcap.dll, correct? So -- when packet.dll is used -- what exactly calls PacketGetAdapterNames? I don't really understand how packet.dll is used yet -- so please excuse my ignorance there. But, it basically looks like, for packet.dll, the buffer size for whatever calls PacketGetAdapterNames is simply much too small (1024) for some Win2000 boxes. Can anyone fill me in if I'm missing something? Or, if that's it, can someone tell me where to adjust that buffer size for apps using packet.dll? Thanks! - John Goggan... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Buffer too small for packet.dll? (was: Error i nitializing NIC) Reinhard Doberstein (Apr 25)
- Re: Buffer too small for packet.dll? (was: Error initializing NIC) Chris Reid (Apr 25)