[Snort-users] snort and -i any

seph seph at ...1436...
Fri Mar 2 15:23:43 EST 2001


Fyodor <fygrave at ...121...> writes:

> On Wed, Feb 28, 2001 at 01:46:18PM -0800, seph wrote:
> > just to reclarify the problem, since there seem to be more questions now...
> > 
> > I currently have a version of snort, build from yesturday's cvs snapshot.
> > it's linked against libpcap 0.6.2. I also have a tcpdump.
> > 
> > I have 2 computers. "seph" and "netsec" 
> > my build environment is on seph, a machine with 1 NIC, and a loopback.
> > netsec has many NICs, I really would like to use -i any on it...
> > 
> > tcpdump -i any works and spews massive output. lots of valid packets.
> > 
> > "snort -v" appears to work, and spews massively.
> > examples:
> > 02/28-13:28:09.396444 10.0.0.254:161 -> 10.0.2.15:1063
> > UDP TTL:64 TOS:0x0 ID:33094 IpLen:20 DgmLen:465
> > Len: 445
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > 
> > 02/28-13:28:09.942520 10.0.0.254:161 -> 10.0.2.15:1063
> > UDP TTL:64 TOS:0x0 ID:33096 IpLen:20 DgmLen:531
> > Len: 511
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> > it also prodces what looks like a correct "Breakdown by protocol"
> > 
> 
> Well the thing might be that the format of the frame which is being passed from
> kernel, has been changed. if you could make us a file in tcpdump format using tcpdump
> (which would trigger this kind of errors in snort) and share, I will try to debug the problem.


sure.
I put a tcpdump of some ping packets in http://www.mit.edu/~seph/tcpdump.out
I captured it with "tcpdump -w /tmp/tcpdump.out -s 1500"

thanks
seph




More information about the Snort-users mailing list