[Snort-users] ethereal 0.9.8 can't read tcpdump.log.XXXX

Erek Adams erek at ...950...
Thu Jan 9 10:22:06 EST 2003


On Thu, 9 Jan 2003, Christian Bock wrote:

> ethereal says that the tcpdump.file is in no format it can understand,
> but tcpdump can read it. When "converting" the file with tcpdump,
> ( read it and write to another file ) ethereal can understand that file.
> Are there known troubles concerning this?
> Another question is how to safe the dumpfile, because for some
> reason the file is deleted when snort is stopped. ( is that the "normal"
> behaviour ? ) ... I would like to keep and analyze that file even when
> snort is stopped for some reason

Ok, somethings not normal with your setup.  I'm able to start Snort, run
it, stop it, and read the dump with tcpdump or ethereal.

I'd hazard a guess that you have an older libpcap version.  IIRC, 3.7.1 is
the most current version of tcpdump and 0.7.1 is the most current version
of libpcap.  You might want to check that one or both of those isn't
outdated.

As for Snort deleting it's logfiles, nothing that I can see in the code
does that.  What is the version of Snort you are running?  And if Snort
stops and deletes the file, how can you run tcpdump/ethereal over the pcap
file?  Something just isn't right--We've got a lot of users and I don't
ever recall someone having the pcap deleted when Snort exits.  How are you
running Snort?  Command line or thru a script?

I'm not saying you are crazy, I'm just saying something doesn't fit.  :)

Cheers!

-----
Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson




More information about the Snort-users mailing list