[Snort-users] tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])]

John Sage jsage at ...2022...
Mon Jul 22 15:15:04 EDT 2002


On Mon, Jul 22, 2002 at 04:21:09PM -0500, max valdez wrote:
> Ok, I'm having a mayor problem here
> I can see others can read perfectly my tcpdump, but I cant, so what can
> be wrong ?, I changes from RH7.3 libpcap to 0.7.1, recompiled snort and
> still seeing the same error on "snort -v" or reading the dump file.
> Agree is not a router switch problem, but the what is it ?? I'm deeper
> than this morning, help pleas !!
> Max
> -- 

Are you capturing the packets in the first place via snort, or tcpdump?

If tcpdump, try capturing packets with snort -b and adjust your
snort.conf accordingly, if needed..

Compile snort afresh (which I think you have..) and let *it* capture
the packets.

Then read them back with snort -dv -r [filename]

I do that all the time (in fact I *only* -b binary log..) and I know
it works.

- John
"Cowardly refusing to create an empty archive."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 

More information about the Snort-users mailing list