[Snort-users] snort 1.8.4b1 dumping core

Martin Roesch roesch at ...1935...
Fri Feb 15 19:03:03 EST 2002


Ok, for the sake of my sanity, please tell me you're on Ethernet and not
PPPoE.  Is that true?

     -Marty

On 2/15/02 9:36 PM, "Kris Kennaway" <kris at ...1402...> wrote:

> On Mon, Feb 04, 2002 at 11:06:28PM +0700, Fyodor wrote:
>>> (gdb) bt
>>> #0  pcap_read (p=0x0, cnt=134884155, callback=0x875bac0, user=0xc <Address
>>> 0xc out of bounds>)
>>>     at /usr/src/lib/libpcap/../../contrib/libpcap/pcap-bpf.c:121
>>> #1  0x807f430 in pcap_loop (p=0x8130000, cnt=-1, callback=0x875bac0,
>>> user=0x0)
>>>     at /usr/src/lib/libpcap/../../contrib/libpcap/pcap.c:79
>> 
>> That's very interesting. Pcap_t struct ptr which we pass to pcap_loop is
>> a meaningful pointer but pcap_read already has it set to NULL. Very
>> likely something messy has happened. (also user ptr got overwritten,
>> that normally shouldn't happen).
>> Strange that it didn't coredump somewhere at the beginning of
>> pcap_read():
> 
> Just FYI, this hasn't gone away..I've rebuilt snort a couple of times
> in the meantime.  It seems to mostly dump core when I'm loading down
> the network it's monitoring.
> 
> All of the coredumps I've bothered to check are in the same place (as
> above).
> 
>> ls -l /var/cores/
> total 385056
> -rw-------  1 root  wheel  7311360 Feb  3 20:29 snort.0.23239.core
> -rw-------  1 root  wheel  8114176 Feb  6 19:17 snort.0.23903.core
> -rw-------  1 root  wheel  7311360 Feb  3 20:46 snort.0.25722.core
> -rw-------  1 root  wheel  8740864 Feb 15 18:29 snort.0.27952.core
> -rw-------  1 root  wheel  7430144 Feb  3 16:52 snort.0.29362.core
> -rw-------  1 root  wheel  7311360 Feb  3 20:49 snort.0.31452.core
> -rw-------  1 root  wheel  7843840 Feb  3 21:25 snort.0.31697.core
> -rw-------  1 root  wheel  7516160 Feb  2 16:22 snort.0.39788.core
> -rw-------  1 root  wheel  7344128 Feb  3 21:58 snort.0.47071.core
> -rw-------  1 root  wheel  8380416 Feb  3 20:24 snort.0.4715.core
> -rw-------  1 root  wheel  7491584 Feb  4 03:54 snort.0.58269.core
> -rw-------  1 root  wheel  7331840 Feb  3 17:10 snort.0.77834.core
> -rw-------  1 root  wheel  7323648 Feb  3 17:20 snort.0.77888.core
> -rw-------  1 root  wheel  7536640 Feb 15 18:29 snort.0.79705.core
> -rw-------  1 root  wheel  7532544 Feb 15 18:29 snort.0.80215.core
> -rw-------  1 root  wheel  7540736 Feb 15 18:30 snort.0.80981.core
> -rw-------  1 root  wheel  7561216 Feb 15 18:31 snort.0.82992.core
> -rw-------  1 root  wheel  7528448 Feb  2 16:43 snort.0.83120.core
> -rw-------  1 root  wheel  7532544 Feb 15 18:31 snort.0.83659.core
> -rw-------  1 root  wheel  7532544 Feb 15 18:32 snort.0.84139.core
> -rw-------  1 root  wheel  7561216 Feb 15 18:33 snort.0.85029.core
> -rw-------  1 root  wheel  7516160 Feb  2 15:28 snort.0.85884.core
> -rw-------  1 root  wheel  7311360 Feb  3 18:52 snort.0.88255.core
> -rw-------  1 root  wheel  7389184 Feb  3 15:59 snort.0.89818.core
> -rw-------  1 root  wheel  7569408 Feb  3 19:27 snort.0.90795.core
> -rw-------  1 root  wheel  7311360 Feb  4 04:20 snort.0.9569.core
>> 
> 
> Kris
> 

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list