pcap logging in inline mode broken?

[Florian Westphal <fwestphal () astaro com>]

Disclaimer: I am seeing this on a patched snort (nfqueue support) 2.8.5/2.8.5.1;
I did not try to reproduce this with the vanilla sources.

When running in inline mode and with "-k pcap", data gets written to the
pcap file, but tcpdump misinterprets its contents -- the pcap_handle has
not been opened with DLT_RAW, even though inline.c:InitInline() does
that.

It works fine when snort is run without -D flag.

> From looking at vanilla snort.c source (2.8.5.1), I think this is whats happening:

int SnortMain(int argc, char *argv[])
{
[..]
    SnortInit(argc, argv);  // Calls InitInline() -> opens pcap_handle in _RAW mode

    if (ScDaemonMode())
    {
        /* Test pcap open if daemonizing so that we FatalError before
         * daemonizing if pcap cannot be opened. */
        InitPcap(1);

        if (pcap_handle != NULL) // Zaps _RAW pcap_handle     <----- HERE
        {
            pcap_close(pcap_handle);
            pcap_handle = NULL;
        }
        printf("pcap_handle before GoDaemon\n", pcap_handle);

        GoDaemon();
    }


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel