[Snort-devel] pcap logging in inline mode broken?

Florian Westphal fwestphal at ...2119...
Thu Oct 29 06:38:29 EDT 2009


Disclaimer: I am seeing this on a patched snort (nfqueue support) 2.8.5/2.8.5.1;
I did not try to reproduce this with the vanilla sources.

When running in inline mode and with "-k pcap", data gets written to the
pcap file, but tcpdump misinterprets its contents -- the pcap_handle has
not been opened with DLT_RAW, even though inline.c:InitInline() does
that.

It works fine when snort is run without -D flag.

>From looking at vanilla snort.c source (2.8.5.1), I think this is whats happening:

int SnortMain(int argc, char *argv[])
{
[..]
    SnortInit(argc, argv);  // Calls InitInline() -> opens pcap_handle in _RAW mode

    if (ScDaemonMode())
    {
        /* Test pcap open if daemonizing so that we FatalError before
         * daemonizing if pcap cannot be opened. */
        InitPcap(1);

        if (pcap_handle != NULL) // Zaps _RAW pcap_handle     <----- HERE
        {
            pcap_close(pcap_handle);
            pcap_handle = NULL;
        }
        printf("pcap_handle before GoDaemon\n", pcap_handle);

        GoDaemon();
    }





More information about the Snort-devel mailing list