[Snort-users] Having trouble using -b switch

Chris Reid Chris.Reid at ...2817...
Fri Sep 27 16:32:02 EDT 2002


If memory serves correctly, the patch for this problem under Win32 never got
committed into the source code before the 1.8.7 version was frozen.  The
code tries to flush an output buffer;  it works properly under Unix, but not
under Win32.

For those of you who want to tweak the 1.8.7 source code, attached is the
original patch.  In particular, pay attention to the #ifdef within the
patch, which corrects the offending line of code.

Chris Reid.


----- Original Message -----
From: "Dan Harpold" <danharp at ...7001...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, September 27, 2002 1:08 PM
Subject: RE: [Snort-users] Having trouble using -b switch


> I've been having a similar problem. Whenever I run in binary mode, it
shuts
> down as soon as it tries to write an entry to the log. It creates the log
> file and writes 24 bytes to it. It fails after the first write after that.
> In regular mode, it runs fine. I just downloaded the latest version of
> winpcap (3.0a).
>
> I am also a newbie to snort, so I may be missing something here. This is
> happening on two different machines (similar hardware, both with Intel Pro
> 100 NIC).
>
> When I run -W, I get the following:
>
> 1  \Device\NPF_{guid} {Intel(R) Pro Adapter (Microsoft's PAcket
Scheduler) }
> 2  \Device\NPF_NdisWanIP {NdisWan Adapter (Microsoft's Packet Scheduler) }
>
> Any help would be appreciated.
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Chris Green
> Sent: Friday, September 27, 2002 1:13 PM
> To: Snort Users List
> Subject: Re: [Snort-users] Having trouble using -b switch
>
>
> rkeller at ...7000... writes:
>
> > Yes, it does.  And, when in binary mode, a new log file is created
within
> the log
> > directory.
>
> Please do a snort -W to list the interfaces. You may be running into
> the libpcap buffer overrun.  In that case, you'll need a newer winpcap.
> --
> Chris Green <cmg at ...1935...>
> A watched process never cores.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spo_log_tcpdump.c_diff
Type: application/octet-stream
Size: 3107 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020927/963bf08d/attachment.obj>


More information about the Snort-users mailing list