[Snort-users] Snort on Linux Help

John Sage jsage at ...2022...
Mon Nov 26 08:18:02 EST 2001


David Wilkeson wrote:

> I'm running Redhat which was preinstalled on a new Dell server.  libpcap 
> was installed, but when it didn't work I removed it and installed 
> various versions myself.

What "various versions"?

The only version worth bothering with is at: http://www.tcpdump.org/

and is libpcap-0.6.2.tar.gz

> None of them work.

What do you mean? They won't compile? They won't install?

They compile and install, but then what?

You *really* need to be more specific about what you've got, and what's 
happening, for someone to be able to help you...

> Do some net cards not 
> support promiscuous mode even when the syslog reports them going into 
> promiscuous mode?

promiscuous mode isn't necessary for tcpdump/libpcap to "work" -- it 
just lets you see more than you might otherwise..

If "ifconfig -a" says the particular interface you're talking about is 
in promiscuous mode, I'd be willing to be that it *is*..

What's the output from "uname -a"?

What's the output from "tcpdump -V" if that's working at all...?

- John

> At 02:22 PM 11/21/2001 -0800, you wrote:
>> OK, what flavor of Linux distribution are you running? Have you built
>> your own kernel or are you using the \'stock\' one? RedHat, Mandrake and
>> Slackware all seem to properly support libpcap right out of the box...
>> In any case - until either tcpdump or ethereal work (both use libpcap)
>> you won\'t get anywhere with snort...

More information about the Snort-users mailing list