[Snort-users] OpenPcap()

Gentoo-Wally gentoowally at ...11827...
Tue Jun 20 11:27:59 EDT 2006


I've started looking at snort 2.6.0 and have run into something strange.

Compile info:
1. gcc 4.1.1
2. ./configure --enable-dynamicplugin --enable-dependency-tracking
--with-libpcap-includes=/usr/include/
--with-libpcap-libraries=/usr/lib/
3. Have tried libpcap 0.9.4 and the current version of phil woods libpcap
4. Gentoo Linux box
5. 'ifconfig eth0 up promisc' to bring the interface up

No errors during ./configure && make && make install

when I start snort it hangs for 15-30 seconds at...

Initializing Network Interface eth0
OpenPcap() device eth0 network lookup:
        eth0: no IPv4 address assigned
Decoding Ethernet on interface eth0


I'm starting it like this..

/usr/local/bin/snort -i eth0 -u snort -l /var/log/snort -c
/usr/local/etc/snort/snort.conf

also tried...

/usr/local/bin/snort -i eth0 -l /var/log/snort -c
/usr/local/etc/snort/snort.conf


At this point memory consumption sky rockets to 95% usage even with
all preprocessors except flow turned off. After about 30 seconds it
finishes initializing and appears to work correctly but at 95% memory
consumption and swap usage begins kicking in.

I googled the OpenPcap message but found nothing that seems relevant
to my situation.

I also have a snort 2.4.5 install on the same box. When it starts I do
not see the OpenPcap message and it works flawlessly at around 18-24%
mem usage with all preprocessors on.

I also tried compiling 2.6.0 without the new dynamic preprocessors or
the dep tracking and I still get the openpcap message and crazy mem
usage.

Any ideas?

Wally




More information about the Snort-users mailing list