[Snort-devel] reading pcap from pipes
Môshe Van der Sterre
me at ...2996...
Mon Nov 3 05:13:11 EST 2008
Some time ago, I asked how to use a pipe as input for stdin on your
Because I received no answer, today I went looking a bit why this does
not work. It seems all files to be opened are checked on S_IFREG.
Disabling that check gives no error for me, so I wonder why that check
is in there. Can someone explain this?
If there is no particular reason to check for S_IFREG in the case of
PCAP_SINGLE, I might make a patch removing it.
I have not looked at the code for other types, but if these are
implemented using a select or poll mechanism, I see no reason to keep
the S_IFREG checks at all.
Also, I noticed someone recently posted a patch on using stdin (
I think this (reversed) patch is not the correct way to do this, but
being able to use "snort -r -" might be a usefull option.
If not "snort -r /proc/self/fd/0" does ofcourse already work (with files).
Môshe van der Sterre
More information about the Snort-devel