Re: [PATCHES] Fixes for daq_nfq

[Russ Combs <rcombs () sourcefire com>]

OK - what version of pcap are you using?

On Tue, Mar 22, 2011 at 8:42 PM, Kelvie Wong <kwong () wurldtech com> wrote:

> Hey Russ,
>
> On March 22, 2011 04:51:49 PM Russ Combs wrote:
> > Are you using the latest Snort?  The NFQ DAQ was recently changed to
> return
> > the IP4 or IP6 flavor instead of RAW because Snort determines the layer 3
> > protocol from the layer 2 header, and in this case there is no layer 2
> > header.  Returning IP4 or IP6 allows Snort to work with either.
> Yeah, I'm using Snort 2.9.0.4; I think the main problem is that this value
> is
> being handed over to libpcap, in the pcap_open_dead line.  If you feed it
> DLT_IPV4, it will set its link layer type to -1, as it does not recognize
> it.
>
>
> >     if (!ScTestMode())
> >     {
> >         pcap_t* pcap = pcap_open_dead(DAQ_GetBaseProtocol(),
> > DAQ_GetSnapLen()); data->dumpd = pcap ? pcap_dump_open(pcap,
> data->logdir)
> > : NULL;
> >
> >         if(data->dumpd == NULL)
> >         {
> >             FatalError("log_tcpdump: Failed to open log file \"%s\":
> %s\n",
> >                        data->logdir, pcap_geterr(pcap));
> >         }
> >         pcap_close(pcap);
> >     }
> >
> >  pcap_open_dead is being called with DAQ_GetBaseProtocol, which takes the
> > value from nfq_daq_get_datalink_type.
> >
> >  The problem is that nfq_daq_get_datalink_type now returns DLT_IPV4 or
> > DLT_IPV6 instead of DLT_RAW (as it did in 0.2). According to the pcap
> > manpage (http://www.tcpdump.org/pcap3_man.html) it supports neither of
> > those values.
>
>
> This causes the error when pcap_dump_open is called, as this error message
> shows (it's a pcap error message).
>
> >  ERROR: log_tcpdump: Failed to open log file
> > "/var/log/snort/snort.log.1300810527":
> > /var/log/snort/snort.log.1300810527: link-layer type -1 isn't supported
> in
> > savefiles
>
> --
> Kelvie Wong
> Software Developer
>
> Wurldtech Security Technologies Inc.
> Suite 1680 - 401 West Georgia St.
> Vancouver, B.C.  V6B 5A1
> Canada
>
> Phone:       + 1.604.669.6674
> Toll Free:   + 1.877.369.6674
> Fax:         + 1.604.669.2902
> Website:    http://www.wurldtech.com/
>
> "ARE YOU ACHILLES CERTIFIED?"
>
> This message is intended only for the named recipients. This message
> may contain information that is privileged, confidential or exempt
> from disclosure under applicable law. Any dissemination or copying
> of this message by anyone other than a named recipient is strictly
> prohibited. If you are not a named recipient or an employee or agent
> responsible for delivering this message to a named recipient, please
> notify us immediately by telephone at 604-669-6674, and permanently
> destroy this message and any copies you may have. Email may not be
> secure unless properly encrypted.
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel