[Snort-devel] [ snort-Bugs-543346 ] Snort 1.8.5 on Win32 with WinPcap 2.3

noreply at ...12... noreply at ...12...
Thu Apr 25 15:21:27 EDT 2002

Bugs item #543346, was opened at 2002-04-13 03:32
You can respond by visiting: 

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Snort 1.8.5 on Win32 with WinPcap 2.3

Initial Comment:
Hello All,

I have just finished installing the snort 1.8.5 on 
Win2k Server. However, it cannot detect the network 
card. I have VMWare 3.0 on top of the same machine 
only, so I guess it should be the problem of the 
winpcap driver. cause it should 

Initializing Network Interface
ERROR: OpenPcap() device open:
      error opening adapter
Fatal Error, Quitting..

However, the Winpcap already works fine for windump. 
So I suspected that there may be some problem with the 
compatibility issue of Snort 1.8.5 on Winpcap 2.3. 

Can someone please give me some suggestions?




Comment By: John Goggan (jgoggan)
Date: 2002-04-25 07:58

Logged In: YES 

I believe this is related to the following...

When using packet.dll, I believe that the BufferSize is too 
small for the possible interface list returned from the 
OS.  When using packet.dll (at least with Snort), it 
appears that the buffer is only 1024 bytes.  Here is the 
packet.dll debug output of "snort -W" on one of my machines:

************Packet32: DllMain************
PacketGetAdapterNames: BufferSize=1024
Need 1246 bytes for the names
PacketGetAdapterNames: GlobalAlloc Failed

As you can see, the buffer size is 1024 and 1246 bytes are 
needed.  Doing an interface list from WinDump on the same 
machine works fine -- and the BufferSize shown in debug is 
8192 bytes.  This is because WinDump uses wpcap.dll 
instead -- and it allocates a 8192 byte buffer before 
calling PacketGetAdapterNames.

Looking at the source, I do not yet know how the buffer is 
allocated before calling PacketGetAdapterNames in 
packet.dll.  (Sorry, I just started looking at the WinPCap 
stuff yesterday :).

In any case, I'm relatively certain this is the problem -- 
I just do not yet know how to correct it in the packet.dll 
source.  It should just be a matter of causing it to 
allocate a larger buffer.


You can respond by visiting: 

More information about the Snort-devel mailing list