[Snort-users] Error trying to read in tcpdump file

Martin Roesch roesch at ...1935...
Tue Jun 12 22:21:59 EDT 2001


I use FreeBSD and OpenBSD interchangably for development, they are very
nice, stable development environments.  I prefer OpenBSD as a sensor
platform.  In any case, Snort binary files written on a BSD system
should be readable from just about any other operating system, whereas
logs written on a linux box will be arbitrarily (depending on distro)
incompatable with everything other than their distro.  I'd recommend
using editcap(1) that comes with ethereal to normalize packet logs that
come off linux systems, it does a nice job of fixing the things that
redhat breaks.

     -Marty

Jason Lewis wrote:
> 
> Ok....  Which BSD distribution?
> 
> I am working on documentation and How-To's for my install and RedHat is the
> corporate standard.  I figured I would stay with it, so someone else can
> deal with it while I am on vacation.  ;)
> 
> It will also make it easy for those new to Snort.
> 
> Anyone see any longterm problems?
> 
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure". The people at the
> other end of the link know less about security than you do. And that's
> scary.
> 
> -----Original Message-----
> From: roesch at ...2250... [mailto:roesch at ...2250...]On
> Behalf Of Martin Roesch
> Sent: Tuesday, June 12, 2001 9:51 AM
> To: jlewis at ...1831...
> Cc: 'Snort Mailing List'
> Subject: Re: [Snort-users] Error trying to read in tcpdump file
> 
> Sorry, Redhat has a really bad tendency to mess with stuff and not tell
> anyone about it, they've been "sorta" compatable for a long time and
> they're getting worse about it (struct timeval anyone?  how about their
> own private pcap extensions?).
> 
> Redhat is the reason that I stopped developing on linux and switched to
> BSD.
> 
>     -Marty
> 
> Jason Lewis wrote:
> >
> > HEY!!!  No attacks on my distribution!!  ;)
> >
> > Yes they are both RedHat.  Now that you mention it, one is 2.4 and the
> other
> > is 2.2.
> >
> > jas
> >
> > -----Original Message-----
> > From: snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Martin
> > Roesch
> > Sent: Monday, June 11, 2001 10:44 PM
> > To: 'Snort Mailing List'
> > Subject: Re: [Snort-users] Error trying to read in tcpdump file
> >
> > Is one of them a linux box and the other not (or worse yet, one of them
> > a redhat box)?
> >
> >    -Marty
> >
> > Jason Lewis wrote:
> > >
> > > DUH!!.....  It looks like I am not using the same version of libpcap on
> > both
> > > servers.
> > >
> > > -----Original Message-----
> > > From: snort-users-admin at lists.sourceforge.net
> > > [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Jason Lewis
> > > Sent: Monday, June 11, 2001 9:54 PM
> > > To: 'Snort Mailing List'
> > > Subject: [Snort-users] Error trying to read in tcpdump file
> > >
> > >         --== Initializing Snort ==--
> > > TCPDUMP file reading mode.
> > > Reading network traffic from "/home/jlewis/snort-0611 at ...2234..." file.
> > > snaplen = 1514
> > > ERROR: OpenPcap() FSM compilation failed:
> > >         unknown data link type 0x71
> > > PCAP command: (null)
> > > Fatal Error, Quitting..
> > >
> > > Here is the command I am using.
> > >
> > > /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -r
> > > /home/jlewis/snort-0611 at ...2234...
> > >
> > > What am I missing?  I am ftping this from a remote sensor to my db
> server
> > > and trying to replay the file to populate the db.
> > >
> > > Jason Lewis
> > > http://www.packetnexus.com
> > > It's not secure "Because they told me it was secure". The people at the
> > > other end of the link know less about security than you do. And that's
> > > scary.
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > --
> > Martin Roesch
> > roesch at ...1935...
> > http://www.sourcefire.com - http://www.snort.org
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> --
> Martin Roesch
> roesch at ...1935...
> http://www.sourcefire.com - http://www.snort.org

--
Martin Roesch
roesch at ...1935...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-users mailing list