[Snort-users] WG: Snort and ippp0 Interface

Carsten Blume cblume at ...1789...
Wed Apr 11 07:56:10 EDT 2001


Some more info:
When i use the old version of libpcap i get the error shown below,
so IMHO libpcap 0.6.2 is the modified one but Snort is not able 
to recognize/handle this kind of traffic.

Is there a solution/patch available?

Carsten

-*> Snort! <*-
Version 1.7
By Martin Roesch (roesch at ...66..., www.snort.org)
[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
04/11-13:47:13.719528 xx.xx.xx.xx:29514 -> xx.xx.xx.xx:22
TCP TTL:121 TOS:0x0 ID:14755 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x1AB95  Ack: 0xF4A589EF  Win: 0x2114  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
[!] WARNING: Not IPv4 datagram! ([ver: 0x0][len: 0x3])
04/11-13:47:13.850880 xx.xx.xx.xx:29514 -> xx.xx.xx.xx:22
TCP TTL:121 TOS:0x0 ID:15011 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x1AB95  Ack: 0xF4A58C7F  Win: 0x1E84  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

>-----Ursprüngliche Nachricht-----
>Von: Carsten Blume 
>Gesendet: Mittwoch, 11. April 2001 11:50
>An: 'snort-users at lists.sourceforge.net'
>Betreff: Snort and ippp0 Interface
>
>
>Hi,
>
>here is the error message i receive when i try to start snort
>on my ippp0 interface.
>
>Snort Version 1.7
>
>www:/var/log # snort -edv -i ippp0
>        --== Initializing Snort ==--
>Initializing Network Interface ippp0
>snort cannot handle data link type 113
>Exiting...
>
>While debugging i found the following  in snort.c :
>
>/*
>* you need the I4L modified version of libpcap to get this stuff
>* working
>*/
>
>But where do i get this version? I fetched the latest version 
>of libpcap from
>www.tcdump.org but i still get the same error message. (BTW: 
>the version available 
>on the download section is 0.4. The one available on 
>www.tcdump.org is 0.6.2).
>
>I queried google but did not receive something useful except 
>one message 
>regarding bpf.h:
>http://archives.neohapsis.com/archives/snort/2001-02/0338.html
>
>Could someone please tell me where i can get this *$%&$& 
>version of libpcap
>because having Snort listening on my internal eth0 interface is not
>really exciting ;-)
>
>Thanks in advance
>
>Carsten Blume
>
>N.B: please tell me if the tcpdump workers mailing list is a better
>place for this e-mail
>




More information about the Snort-users mailing list