[Snort-users] snort and -i any

Fyodor fygrave at ...121...
Fri Mar 2 06:55:49 EST 2001


On Wed, Feb 28, 2001 at 01:46:18PM -0800, seph wrote:
> just to reclarify the problem, since there seem to be more questions now...
> 
> I currently have a version of snort, build from yesturday's cvs snapshot.
> it's linked against libpcap 0.6.2. I also have a tcpdump.
> 
> I have 2 computers. "seph" and "netsec" 
> my build environment is on seph, a machine with 1 NIC, and a loopback.
> netsec has many NICs, I really would like to use -i any on it...
> 
> tcpdump -i any works and spews massive output. lots of valid packets.
> 
> "snort -v" appears to work, and spews massively.
> examples:
> 02/28-13:28:09.396444 10.0.0.254:161 -> 10.0.2.15:1063
> UDP TTL:64 TOS:0x0 ID:33094 IpLen:20 DgmLen:465
> Len: 445
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 02/28-13:28:09.942520 10.0.0.254:161 -> 10.0.2.15:1063
> UDP TTL:64 TOS:0x0 ID:33096 IpLen:20 DgmLen:531
> Len: 511
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> it also prodces what looks like a correct "Breakdown by protocol"
> 

Well the thing might be that the format of the frame which is being passed from
kernel, has been changed. if you could make us a file in tcpdump format using tcpdump
(which would trigger this kind of errors in snort) and share, I will try to debug the problem.

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list