[Snort-users] OpenPcap()

Joel Esler joel.esler at ...1935...
Tue Jun 20 11:56:54 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Snort 2.6 uses more memory than it's predecessors.  The OpenPcap msg you
saw is normal, it's just telling you that there is no IP assigned to the
sniffing interface (eth0).  Which, if you are using a promisc card
interface with no IP, is exactly what you want...

Joel

Gentoo-Wally wrote:
> I've started looking at snort 2.6.0 and have run into something strange.
> 
> Compile info:
> 1. gcc 4.1.1
> 2. ./configure --enable-dynamicplugin --enable-dependency-tracking
> --with-libpcap-includes=/usr/include/
> --with-libpcap-libraries=/usr/lib/
> 3. Have tried libpcap 0.9.4 and the current version of phil woods libpcap
> 4. Gentoo Linux box
> 5. 'ifconfig eth0 up promisc' to bring the interface up
> 
> No errors during ./configure && make && make install
> 
> when I start snort it hangs for 15-30 seconds at...
> 
> Initializing Network Interface eth0
> OpenPcap() device eth0 network lookup:
>         eth0: no IPv4 address assigned
> Decoding Ethernet on interface eth0
> 
> 
> I'm starting it like this..
> 
> /usr/local/bin/snort -i eth0 -u snort -l /var/log/snort -c
> /usr/local/etc/snort/snort.conf
> 
> also tried...
> 
> /usr/local/bin/snort -i eth0 -l /var/log/snort -c
> /usr/local/etc/snort/snort.conf
> 
> 
> At this point memory consumption sky rockets to 95% usage even with
> all preprocessors except flow turned off. After about 30 seconds it
> finishes initializing and appears to work correctly but at 95% memory
> consumption and swap usage begins kicking in.
> 
> I googled the OpenPcap message but found nothing that seems relevant
> to my situation.
> 
> I also have a snort 2.4.5 install on the same box. When it starts I do
> not see the OpenPcap message and it works flawlessly at around 18-24%
> mem usage with all preprocessors on.
> 
> I also tried compiling 2.6.0 without the new dynamic preprocessors or
> the dep tracking and I still get the openpcap message and crazy mem
> usage.
> 
> Any ideas?
> 
> Wally
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

- --
+---------------------------------------------------------------------+
Joel Esler  	     Senior Security Consultant 	1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
Snort - Open Source Network IPS/IDS -- http://www.snort.org
GPG Key http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEmBrGKbCSyXHckt4RAq9HAJ45D9emK3cHcWf7WoR+Ex1DmykHlQCgovM3
cxap2QpG64S7+k8Tr2UOvLQ=
=xdKQ
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list