[Snort-devel] [ snort-Bugs-543346 ] Snort 1.8.5 on Win32 with WinPcap 2.3

noreply at ...12... noreply at ...12...
Thu May 2 09:53:29 EDT 2002


Bugs item #543346, was opened at 2002-04-13 03:32
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=543346&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Snort 1.8.5 on Win32 with WinPcap 2.3

Initial Comment:
Hello All,

I have just finished installing the snort 1.8.5 on 
Win2k Server. However, it cannot detect the network 
card. I have VMWare 3.0 on top of the same machine 
only, so I guess it should be the problem of the 
winpcap driver. cause it should 

Initializing Network Interface
ERROR: OpenPcap() device open:
      error opening adapter
Fatal Error, Quitting..

However, the Winpcap already works fine for windump. 
So I suspected that there may be some problem with the 
compatibility issue of Snort 1.8.5 on Winpcap 2.3. 

Can someone please give me some suggestions?

THanks.

Ricci

----------------------------------------------------------------------

Comment By: John Goggan (jgoggan)
Date: 2002-05-02 07:32

Message:
Logged In: YES 
user_id=497241

Basically, this is a solved issue -- it just hasn't been 
integrated yet.  I did some testing and then sent 
eveyrthing over to Chris Reid -- who confirmed that I had 
said and corrected the issue.

Basically, the libpcap.lib in the snort CVS tree is old and 
has only a 1024 byte buffer for storing the interfaces 
returned.  On some systems, this is not large enough.  The 
latest libpcap.lib from WinPcap 2.3 actually has a 8192 
byte buffer -- and works fine.

Therefore, the problem is easily correctable -- snort just 
needs to start using the latest libpcap.lib from WinPcap.

Now, if you want to test that this is actually the problem, 
try this...

Do a "snort -W" to list your interfaces.  If it stops after 
printing "1" on a line by itself, then you likely have this 
problem.

To confirm that it is not an access permissions issue, 
run "windump -D".  If that properly lists your interfaces, 
then the above is pretty much definitely your problem!

If "windump -D" also cannot list the interfaces, then it is 
some other problem.  (This is because windump actually 
allocates a 8192 byte buffer already when it makes the 
interface list call through the winpcap.dll instead of 
through the packet.dll, I believe.)

So -- problem solved.  Just a matter of time.  In the 
meantime, you can grab the latest libpcap.lib and 
packet.lib from WinPcap and relink snort with them to solve 
the problem.


----------------------------------------------------------------------

Comment By: Dr. Andrew Blyth (ajcblyth)
Date: 2002-05-02 05:18

Message:
Logged In: YES 
user_id=532306

This looks like the error message that you get when the 
account that you are using to run Snort does not have 
access permission to the card/device.



----------------------------------------------------------------------

Comment By: John Goggan (jgoggan)
Date: 2002-04-25 07:58

Message:
Logged In: YES 
user_id=497241

I believe this is related to the following...

When using packet.dll, I believe that the BufferSize is too 
small for the possible interface list returned from the 
OS.  When using packet.dll (at least with Snort), it 
appears that the buffer is only 1024 bytes.  Here is the 
packet.dll debug output of "snort -W" on one of my machines:

************Packet32: DllMain************
PacketGetAdapterNames: BufferSize=1024
Need 1246 bytes for the names
PacketGetAdapterNames: GlobalAlloc Failed

As you can see, the buffer size is 1024 and 1246 bytes are 
needed.  Doing an interface list from WinDump on the same 
machine works fine -- and the BufferSize shown in debug is 
8192 bytes.  This is because WinDump uses wpcap.dll 
instead -- and it allocates a 8192 byte buffer before 
calling PacketGetAdapterNames.

Looking at the source, I do not yet know how the buffer is 
allocated before calling PacketGetAdapterNames in 
packet.dll.  (Sorry, I just started looking at the WinPCap 
stuff yesterday :).

In any case, I'm relatively certain this is the problem -- 
I just do not yet know how to correct it in the packet.dll 
source.  It should just be a matter of causing it to 
allocate a larger buffer.


----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=543346&group_id=3357




More information about the Snort-devel mailing list