[Snort-users] Corrupted Frame and Exit
miked at ...14531...
Sun Mar 8 19:21:52 EDT 2009
I searched the email archives and checked with Google and didn't find anything relevant so I thought I'd try here.
I'm having a problem with Snort where it reports a corrupted frame and dies immediately afterwards. Snort might die immediately or it might run for a few hours. Here are a couple of syslog entries from when it dies:
Mar 6 01:26:06 rockenfield snort: pcap_loop: corrupted frame on kernel ring mac offset 1502 + caplen 1514 > frame len 1568
Mar 7 10:10:12 rockenfield snort: pcap_loop: corrupted frame on kernel ring mac offset 1114 + caplen 1114 > frame len 1568
Of course, the tcpdump log doesn't show anything. When it exits, it just shows that packets were discarded and that's it. The alert log has nothing at all.
I have two NIC's and I thought it might be one of them so I switched it out but it did not fix the problem. The other NIC is on the motherboard and I could disable that and install another PCI NIC but I haven't tried that yet.
Here is some system info. I'm running AMD Athlon 64 X2 dual core 3800+ with 8GB of RAM. The OS is Debian squeeze/6.0 running the 2.6.21 amd64 kernel. My network config is like so: cable modem is connected to eth0 (on board NIC), and I NAT everything to eth2 (PCI NIC that was replaced) using Shorewall for my internal network.
Does anyone have any suggestions on how to troubleshoot and fix this?
More information about the Snort-users