Snort mailing list archives

Re: Having trouble using -b switch

From: "Chris Reid" <Chris.Reid () CodeCraftConsultants com>
Date: Fri, 27 Sep 2002 17:28:48 -0600


If memory serves correctly, the patch for this problem under Win32 never got
committed into the source code before the 1.8.7 version was frozen.  The
code tries to flush an output buffer;  it works properly under Unix, but not
under Win32.

For those of you who want to tweak the 1.8.7 source code, attached is the
original patch.  In particular, pay attention to the #ifdef within the
patch, which corrects the offending line of code.

Chris Reid.


----- Original Message -----
From: "Dan Harpold" <danharp () seaburytech com>
To: <snort-users () lists sourceforge net>
Sent: Friday, September 27, 2002 1:08 PM
Subject: RE: [Snort-users] Having trouble using -b switch

I've been having a similar problem. Whenever I run in binary mode, it

shuts

down as soon as it tries to write an entry to the log. It creates the log
file and writes 24 bytes to it. It fails after the first write after that.
In regular mode, it runs fine. I just downloaded the latest version of
winpcap (3.0a).

I am also a newbie to snort, so I may be missing something here. This is
happening on two different machines (similar hardware, both with Intel Pro
100 NIC).

When I run -W, I get the following:

1  \Device\NPF_{guid} {Intel(R) Pro Adapter (Microsoft's PAcket

Scheduler) }

2  \Device\NPF_NdisWanIP {NdisWan Adapter (Microsoft's Packet Scheduler) }

Any help would be appreciated.


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Chris Green
Sent: Friday, September 27, 2002 1:13 PM
To: Snort Users List
Subject: Re: [Snort-users] Having trouble using -b switch


rkeller () lsoft com writes:

Yes, it does.  And, when in binary mode, a new log file is created

within

the log

directory.


Please do a snort -W to list the interfaces. You may be running into
the libpcap buffer overrun.  In that case, you'll need a newer winpcap.
--
Chris Green <cmg () sourcefire com>
A watched process never cores.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Attachment: spo_log_tcpdump.c_diff
Description:

Current thread:

Having trouble using -b switch rkeller (Sep 27)
- RE: Having trouble using -b switch Dan Harpold (Sep 27)
- Re: Having trouble using -b switch Chris Green (Sep 27)
  - Re: Having trouble using -b switch rkeller (Sep 27)
    - Re: Having trouble using -b switch Chris Green (Sep 27)
    - RE: Having trouble using -b switch Dan Harpold (Sep 27)
    - newbe info needed /dev/null (Sep 27)
    - Re: Having trouble using -b switch Chris Reid (Sep 27)