[Snort-users] ethereal 0.9.8 can't read tcpdump.log.XXXX
Christian.Bock at ...7944...
Fri Jan 10 02:24:07 EST 2003
the problem of unreadable file was that two instances of snort where running,
when only one is running everything is fine
the problem of the deleted dump does not occure when running snort via
command line, but when stopping via webmin. ( have now to figure out
that one ... )
Am Donnerstag, 9. Januar 2003 19:13 schrieb Erek Adams:
> On Thu, 9 Jan 2003, Christian Bock wrote:
> > ethereal says that the tcpdump.file is in no format it can understand,
> > but tcpdump can read it. When "converting" the file with tcpdump,
> > ( read it and write to another file ) ethereal can understand that file.
> > Are there known troubles concerning this?
> > Another question is how to safe the dumpfile, because for some
> > reason the file is deleted when snort is stopped. ( is that the "normal"
> > behaviour ? ) ... I would like to keep and analyze that file even when
> > snort is stopped for some reason
> Ok, somethings not normal with your setup. I'm able to start Snort, run
> it, stop it, and read the dump with tcpdump or ethereal.
> I'd hazard a guess that you have an older libpcap version. IIRC, 3.7.1 is
> the most current version of tcpdump and 0.7.1 is the most current version
> of libpcap. You might want to check that one or both of those isn't
> As for Snort deleting it's logfiles, nothing that I can see in the code
> does that. What is the version of Snort you are running? And if Snort
> stops and deletes the file, how can you run tcpdump/ethereal over the pcap
> file? Something just isn't right--We've got a lot of users and I don't
> ever recall someone having the pcap deleted when Snort exits. How are you
> running Snort? Command line or thru a script?
> I'm not saying you are crazy, I'm just saying something doesn't fit. :)
> Erek Adams
> "When things get wierd, the wierd turn pro." H.S. Thompson
More information about the Snort-users