[Snort-devel] All packets on 'lo' double-logged with 1.8.7/1.9.0

Jan Ploski jpljpl at ...578...
Fri Oct 18 10:17:04 EDT 2002


I posted the message to snort-users originally, but I guess this
mailing list is more appropriate:


Having installed 1.8.7 from source, I notice that each packet is being
logged twice (I used the following command lines: "snort -b -l . -i lo"
and "snort -dev -i lo"). So I upgraded to 1.9.0, but the problem persists.
It doesn't help to run snort with the -c option to point to the snort.conf
from the rules-stable.tar.gz distribution either.

On another machine I have snort 1.8.7 installed from a Debian package
and it's working fine.

Can you give me a hint about what I should investigate in my faulty
installation? Could it be due to some 'configure' options (I didn't
specify any but --prefix) or perhaps a wrong version of libpcap?
SuSE's libpcapn-0.4a6-343 there..)


Since posting the above message, I installed libpcap-0.4 from source,
it did not help. I also observed that if I monitor eth0, the packets
are not double-logged. This happens only with the loopback interface.

I tried to figure out what is going on with gdb. It appears that
ProcessPacket in snort.c is being called twice for each packet.
But why? I am attaching the entire log of my gdb session.

Best regards -
Jan Ploski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gdb.log
Type: application/octet-stream
Size: 2934 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20021018/b4b46adf/attachment.obj>

More information about the Snort-devel mailing list