[Snort-devel] [PATCHES] Fixes for daq_nfq

Kelvie Wong kwong at ...3121...
Tue Mar 22 20:42:13 EDT 2011


Hey Russ,

On March 22, 2011 04:51:49 PM Russ Combs wrote:
> Are you using the latest Snort?  The NFQ DAQ was recently changed to return
> the IP4 or IP6 flavor instead of RAW because Snort determines the layer 3
> protocol from the layer 2 header, and in this case there is no layer 2
> header.  Returning IP4 or IP6 allows Snort to work with either.
> 
> 
Yeah, I'm using Snort 2.9.0.4; I think the main problem is that this value is 
being handed over to libpcap, in the pcap_open_dead line.  If you feed it 
DLT_IPV4, it will set its link layer type to -1, as it does not recognize it.


>     if (!ScTestMode())
>     {
>         pcap_t* pcap = pcap_open_dead(DAQ_GetBaseProtocol(),
> DAQ_GetSnapLen()); data->dumpd = pcap ? pcap_dump_open(pcap, data->logdir)
> : NULL;
> 
>         if(data->dumpd == NULL)
>         {
>             FatalError("log_tcpdump: Failed to open log file \"%s\": %s\n",
>                        data->logdir, pcap_geterr(pcap));
>         }
>         pcap_close(pcap);
>     }
> 
>  pcap_open_dead is being called with DAQ_GetBaseProtocol, which takes the
> value from nfq_daq_get_datalink_type.
> 
>  The problem is that nfq_daq_get_datalink_type now returns DLT_IPV4 or
> DLT_IPV6 instead of DLT_RAW (as it did in 0.2). According to the pcap
> manpage (http://www.tcpdump.org/pcap3_man.html) it supports neither of
> those values.
> 


This causes the error when pcap_dump_open is called, as this error message 
shows (it's a pcap error message).

>  ERROR: log_tcpdump: Failed to open log file
> "/var/log/snort/snort.log.1300810527":
> /var/log/snort/snort.log.1300810527: link-layer type -1 isn't supported in
> savefiles

-- 
Kelvie Wong
Software Developer

Wurldtech Security Technologies Inc.
Suite 1680 - 401 West Georgia St.
Vancouver, B.C.  V6B 5A1
Canada

Phone:       + 1.604.669.6674
Toll Free:   + 1.877.369.6674
Fax:         + 1.604.669.2902
Website:    http://www.wurldtech.com/

"ARE YOU ACHILLES CERTIFIED?"

This message is intended only for the named recipients. This message
may contain information that is privileged, confidential or exempt
from disclosure under applicable law. Any dissemination or copying
of this message by anyone other than a named recipient is strictly
prohibited. If you are not a named recipient or an employee or agent
responsible for delivering this message to a named recipient, please
notify us immediately by telephone at 604-669-6674, and permanently
destroy this message and any copies you may have. Email may not be
secure unless properly encrypted.




More information about the Snort-devel mailing list