[Snort-users] BUG of "config bpf_file"

Peng Yong ppyy at ...5444...
Wed May 1 08:45:12 EDT 2002


> On Wed, May 01, 2002 at 04:07:26PM +0800, Peng Yong wrote:
> > 
> > i have a flowing line in snort.conf:
> > 
> > config bpf_file: snort.bpf
> > 
> > and the content of snort.bpf:
> > 
> > tcp port 80
> > 
> > 
> > but bpf_file config in snort rules file can't set filter to bpf.
> > 
> > i check the code in snort.c and find snort pcap_compile the filter
> > before parse the snort.bpf.
> Not in my version.  Try using gdb and set a breakpoint just before the
> pcap_setfilter call and look at the contents of pv.pcap_cmd.  If it's
> still null, you probably need to upgrade to a current snort.
> > 

I have debuged snort by gdb before i send last email.

the pv.pcap_cmd is null when i set it in the rule file. it is ok when i
set it in the command line.

i also compiled a debug version of snort by:

 ./configure --enable-debug

and the debug informantion also report same information.

I have testing 1.8.6 and latest source from CVS.

--
Peng Yong                     Email: ppyy at ...5444...
Bentium Ltd.                  URL: http://www.cn99.com





More information about the Snort-users mailing list