[Snort-users] DAQ and libpcap 1.1.1 vs 1.0.0

vincent at ...15035... vincent at ...15035...
Mon Nov 8 12:35:35 EST 2010


Hi Russ,

On my RHEL5.5 system, the following CFLAGS are passed to libpcap's 
configure:

+ CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
+ ./configure --prefix=/usr/libpcap1 --enable-ipv6 --without-libnl

I recompiled without --disable-remote and ran gdb on snort.
Running gdb on this build wasn't very informative:

(gdb) set args -i eth0
(gdb) r
Starting program: /usr/sbin/snort-plain -i eth0
[Thread debugging using libthread_db enabled]
Running in packet dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".

Program received signal SIGSEGV, Segmentation fault.
0x000000000049feec in pcap_daq_start ()
(gdb) bt
#0  0x000000000049feec in pcap_daq_start ()
#1  0x0000000000438624 in DAQ_Start () at ../../src/sfdaq.c:414
#2  0x0000000000424bda in SnortMain (argc=3, argv=0x7fffffffe7e8) at 
../../src/snort.c:712
#3  0x0000003536e1d994 in __libc_start_main () from /lib64/libc.so.6
#4  0x0000000000404359 in _start ()
(gdb) b DAQ_Start
Breakpoint 1 at 0x438610: file ../../src/sfdaq.c, line 414.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/sbin/snort-plain -i eth0
[Thread debugging using libthread_db enabled]
Running in packet dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".

Breakpoint 1, DAQ_Start () at ../../src/sfdaq.c:414
414         int err = daq_start(daq_mod, daq_hand);
(gdb) s
413     {
(gdb) s
414         int err = daq_start(daq_mod, daq_hand);
(gdb) s

Program received signal SIGSEGV, Segmentation fault.
0x000000000049feec in pcap_daq_start ()
(gdb) what daq_mod
type = const DAQ_Module_t *
(gdb) what daq_hand
type = void *
(gdb) display daq_hand
1: daq_hand = (void *) 0x156c9c0
(gdb) display daq_mod
2: daq_mod = (const DAQ_Module_t *) 0x4e6000

And in the syslod, I got:
snort[24390]: segfault at 0000000000000010 rip 000000000049feec rsp 00007fff03cf30f0 error 4

Perhaps there's a security feature kicking in?

On Mon, 8 Nov 2010, vincent at ...15035... wrote:

>
> Hi Russ,
>
> On Mon, 8 Nov 2010, Russ Combs wrote:
>
>> I don't seem to have a --disable-remote for my libpcap 1.1.1 configure.
>>
>> What exactly does that do?
>
> # ./configure --help|grep remot
>   --disable-remote        disable remote capture capabilities
>
> That's all I know. I don't know yet why it causes daq to crash snort when
> that support is compiled in. libpcap-1.0.0 didn't have these 'remote
> capture' features (I think).
>
>> I'm glad you've got a workaround but would like to figure out what the issue is and fix the DAQ if needed.
>
> Yes, so would I. Now that I got the binary distribution 'stabilized'
> enough, I can spend more time trying to figure out why it crashes under
> RHEL5.5 when 'remote capture' is enabled inside libpcap 1.1.1.
>
> Regards,
>
> Vincent




More information about the Snort-users mailing list