[Snort-users] Corrupted Frame and Exit
MBabcock at ...14532...
Tue Mar 17 13:47:15 EDT 2009
>From that link
> Linux kernel 2.6.29-rc6, x86_64, but 32-bit userland. It seems to
> work on 32/32 and 64/64-bit machines.
Thanks for the report. This is probably caused by the new packet
mmap interface, before Linux 2.6.27 it wasn't 64-bit clean and the
libpcap package in sid was built against 2.6.26 headers, so the new
tpacket v2 format support which fixes it wasn't compiled in.
Unfortunately I don't have a 64-bit machine running Linux 2.6.27+
where I could verify this right now, but I think that if you rebuild
the current source package with an up-to-date linux-libc-dev
(2.6.28-1) the resulting deb will work in your configuration.
I am using 2.6.26 which supports the reason above.
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcock at ...14532...
> Thank you, I was wondering if I sent that email. Your problem should be
> with the libcap version you are on. Look into your options for a newer
> What version do you have installed? I use ADM64 as well with the new
> stable version Lenny.. I am guessing your using testing or unstable. Can
> you post a couple lines from etc/apt/sources.list ?
> I have...
> sudo dpkg -l |grep ii |grep libpcap
> ii libpcap0.8 0.9.8-5 system
> interface for user-level packet captu
> and I have never seen that error. Let me know if you want to check other
> version of other things, I stopped following the thread not sure what else
> was discussed...
> You might be able to do this... assuming your version is broken and you
> need an old stable version...
> sudo aptitude purge libpcap(everything) && sudo aptitude clean && sudo vim
> /etc/apt/sources.list change everything to lenny (I use the replace
> Then do sudo aptitude update && sudo aptitude install libpcap0.8 (and
> everything that was removed when you purged libpcap a minute ago)
> -- Matthew R. Babcock
> CEO, Principal Consultant
> A & R Technology Consulting - Providing solutions, not limitations -
> MBabcock at ...14532...
> (508) 397-8280
>> --- Original Message
>> From: Nathaniel Richmond <nate+snort at ...14258...>
>> Sent: Monday, March 16, 2009, at 05:06AM PDT (GMT -0700)
>> NR> If the error is about the libpcap headers, you may not have the
>> NR> libpcap-dev package installed. It might help to paste the exact
>> NR> error for the list.
>> I did/do have libpcap-dev installed.
>> Here is the error again:
>> rockenfield:~# tcpdump -vv -i eth3
>> tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 96
>> 09:22:26.123716 Broadcast Unknown SSAP 0xe6 > 00:00:00:00:00:00 (oui
>> Ethernet) NetBeui Information, send seq 33, rcv seq 46, Flags [Final],
>> length 4294967282
>> tcpdump: pcap_loop: corrupted frame on kernel ring mac offset 94 +
>> 428 > frame len 160
>> 26 packets captured
>> 27 packets received by filter
>> 0 packets dropped by kernel
>> If there is more information you'd like, let me know and I'll gladly
>> It looks like this is my problem, which was kindly posted by Matthew
>> I am running the amd64 version of the kernel. I have tried to build
>> libpcap on my own but I'm not the best builder and had some problems. I
>> will contact the Debian folks and see what's going on.
>> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
>> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
>> easily build your RIAs with Flex Builder, the Eclipse(TM)based
>> software that enables intelligent coding and step-through debugging.
>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
More information about the Snort-users