[Snort-devel] pcap logging in inline mode broken?

Florian Westphal fwestphal at ...2119...
Thu Oct 29 06:38:29 EDT 2009

Disclaimer: I am seeing this on a patched snort (nfqueue support) 2.8.5/;
I did not try to reproduce this with the vanilla sources.

When running in inline mode and with "-k pcap", data gets written to the
pcap file, but tcpdump misinterprets its contents -- the pcap_handle has
not been opened with DLT_RAW, even though inline.c:InitInline() does

It works fine when snort is run without -D flag.

>From looking at vanilla snort.c source (, I think this is whats happening:

int SnortMain(int argc, char *argv[])
    SnortInit(argc, argv);  // Calls InitInline() -> opens pcap_handle in _RAW mode

    if (ScDaemonMode())
        /* Test pcap open if daemonizing so that we FatalError before
         * daemonizing if pcap cannot be opened. */

        if (pcap_handle != NULL) // Zaps _RAW pcap_handle     <----- HERE
            pcap_handle = NULL;
        printf("pcap_handle before GoDaemon\n", pcap_handle);


More information about the Snort-devel mailing list