[Snort-users] bad dump file format... huh?

Roman Danyliw roman at ...438...
Tue Nov 14 08:39:43 EST 2000

Are you using Redhat Linux?  As of version 6.0, Redhat assumed that the
development effort with libpcap was dead and made changes to
libpcap (and tcpdump).  In particular, these changes surrounded the
timestamp format and addressed issues with multiple interfaces.  As a
consequence of these modifications, tcpdump-generated files under Redhat
will not be valid with Snort (any version).  Try downloading an
"unbroken" copy of libpcap/tcpdump from www.tcpdump.org.


> ---------- Forwarded message ----------
> Date: Tue, 14 Nov 2000 10:15:46 -0600 (CST)
> From: "A.L.Lambert" <alambert at ...387...>
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] bad dump file format... huh?
>       Hrmm... I've got one file for sure (and 2 more that I still have
> to verify) that were created by snort (1.6.3_patch1) in tcpdump binary
> logging mode (snort -b), which as far as tcpdump is concerned, are
> perfectly fine (tcpdump -n -r dumpfile reads them just fine anyway), but
> cannot read these files with snort itself; neither the snort binary that
> created the dumpfile, nor the CVS derived snort binary I use to import
> the dump files into my MySQL database.

More information about the Snort-users mailing list