[Snort-devel] pcap logging in inline mode broken?
fwestphal at ...2119...
Thu Oct 29 06:38:29 EDT 2009
Disclaimer: I am seeing this on a patched snort (nfqueue support) 2.8.5/220.127.116.11;
I did not try to reproduce this with the vanilla sources.
When running in inline mode and with "-k pcap", data gets written to the
pcap file, but tcpdump misinterprets its contents -- the pcap_handle has
not been opened with DLT_RAW, even though inline.c:InitInline() does
It works fine when snort is run without -D flag.
>From looking at vanilla snort.c source (18.104.22.168), I think this is whats happening:
int SnortMain(int argc, char *argv)
SnortInit(argc, argv); // Calls InitInline() -> opens pcap_handle in _RAW mode
/* Test pcap open if daemonizing so that we FatalError before
* daemonizing if pcap cannot be opened. */
if (pcap_handle != NULL) // Zaps _RAW pcap_handle <----- HERE
pcap_handle = NULL;
printf("pcap_handle before GoDaemon\n", pcap_handle);
More information about the Snort-devel