[Snort-devel] A question regarding InitializeInterfaces

Dirk Geschke Dirk_Geschke at ...802...
Mon Nov 19 07:20:02 EST 2001


Hi all,

maybe one simple question, but what is the reason for calling
the function InitializeInterfaces twice?

Background: In snort.c there is a comment,

 * HP-UX 10.x note from Chris Sylvain:
 * if you run snort and receive the error message
 *  "ERROR: OpenPcap() device lan0 open:
 *                    recv_ack: promisc_phys: Invalid argument"
 * it's because there's another program running using the DLPI service.
 * The HP-UX implementation doesn't allow more than one libpcap program
 * at a time to run, unlike Linux.

This is correct, you are only able to use one DLPI service. With the 
first call for InitializeInterface this one service is in use. This 
is first done before reading the configuration file:

    {
        /*
         * if no interfaces were specified we would need one anyway
         */
        if(!ifr_count)
            ifr_count++;

        /* preemptively initialize the interface so that 
         * output plugins like the tcpdump logger will be able to
         * start properly
         */ 
        InitializeInterfaces();
        ReadConfFile();
    }

I think this call is here not necessary (or there is a close on the opened
device missing), it is called again later on:

    /*
     * if we're not reading packets from a file, open the network interface
     * for reading
     */
    if(!pv.readmode_flag)
    {
        DebugMessage(DEBUG_INIT, "Opening interface: %s\n", 
PRINT_INTERFACE(pv.i
nterfaces[0]));
        /* open up our libpcap packet capture interface */
        InitializeInterfaces();
    }

With HP-UX 10.20 snort will fail at this point with the message:

 ERROR: OpenPcap() device lan0 open:
                recv_ack: promisc_phys: Invalid argument

(Clear, this is the second OpenPcap call without closing the first...)

Best regards,

Dirk
-- 
+------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |
+------------------------------------------------------------+






More information about the Snort-devel mailing list