[Snort-users] OpenPcap()

Gentoo-Wally gentoowally at ...11827...
Tue Jun 20 11:27:59 EDT 2006

I've started looking at snort 2.6.0 and have run into something strange.

Compile info:
1. gcc 4.1.1
2. ./configure --enable-dynamicplugin --enable-dependency-tracking
3. Have tried libpcap 0.9.4 and the current version of phil woods libpcap
4. Gentoo Linux box
5. 'ifconfig eth0 up promisc' to bring the interface up

No errors during ./configure && make && make install

when I start snort it hangs for 15-30 seconds at...

Initializing Network Interface eth0
OpenPcap() device eth0 network lookup:
        eth0: no IPv4 address assigned
Decoding Ethernet on interface eth0

I'm starting it like this..

/usr/local/bin/snort -i eth0 -u snort -l /var/log/snort -c

also tried...

/usr/local/bin/snort -i eth0 -l /var/log/snort -c

At this point memory consumption sky rockets to 95% usage even with
all preprocessors except flow turned off. After about 30 seconds it
finishes initializing and appears to work correctly but at 95% memory
consumption and swap usage begins kicking in.

I googled the OpenPcap message but found nothing that seems relevant
to my situation.

I also have a snort 2.4.5 install on the same box. When it starts I do
not see the OpenPcap message and it works flawlessly at around 18-24%
mem usage with all preprocessors on.

I also tried compiling 2.6.0 without the new dynamic preprocessors or
the dep tracking and I still get the openpcap message and crazy mem

Any ideas?


