[Snort-users] DAQ and libpcap 1.1.1 vs 1.0.0

Russ Combs rcombs at ...1935...
Mon Nov 8 14:59:48 EST 2010


Did you enable debug on your DAQ build (-g -O0)?

I don't have --disable-remote (or anything "remote") with libpcap-1.1.1.

On Mon, Nov 8, 2010 at 2:55 PM, Russ Combs <rcombs at ...1935...> wrote:

>
>
> On Mon, Nov 8, 2010 at 12:35 PM, <vincent at ...15035...> wrote:
>
>>
>> Hi Russ,
>>
>> On my RHEL5.5 system, the following CFLAGS are passed to libpcap's
>> configure:
>>
>> + CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
>> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
>> + ./configure --prefix=/usr/libpcap1 --enable-ipv6 --without-libnl
>>
>> I recompiled without --disable-remote and ran gdb on snort.
>> Running gdb on this build wasn't very informative:
>>
>>
> Did you build the DAQ with debug support (-g -O0)?
>
>
>> (gdb) set args -i eth0
>> (gdb) r
>> Starting program: /usr/sbin/snort-plain -i eth0
>> [Thread debugging using libthread_db enabled]
>> Running in packet dump mode
>>
>>        --== Initializing Snort ==--
>> Initializing Output Plugins!
>> pcap DAQ configured to passive.
>> Acquiring network traffic from "eth0".
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x000000000049feec in pcap_daq_start ()
>> (gdb) bt
>> #0  0x000000000049feec in pcap_daq_start ()
>> #1  0x0000000000438624 in DAQ_Start () at ../../src/sfdaq.c:414
>> #2  0x0000000000424bda in SnortMain (argc=3, argv=0x7fffffffe7e8) at
>> ../../src/snort.c:712
>> #3  0x0000003536e1d994 in __libc_start_main () from /lib64/libc.so.6
>> #4  0x0000000000404359 in _start ()
>> (gdb) b DAQ_Start
>> Breakpoint 1 at 0x438610: file ../../src/sfdaq.c, line 414.
>> (gdb) r
>> The program being debugged has been started already.
>> Start it from the beginning? (y or n) y
>> Starting program: /usr/sbin/snort-plain -i eth0
>> [Thread debugging using libthread_db enabled]
>> Running in packet dump mode
>>
>>        --== Initializing Snort ==--
>> Initializing Output Plugins!
>> pcap DAQ configured to passive.
>> Acquiring network traffic from "eth0".
>>
>> Breakpoint 1, DAQ_Start () at ../../src/sfdaq.c:414
>> 414         int err = daq_start(daq_mod, daq_hand);
>> (gdb) s
>> 413     {
>> (gdb) s
>> 414         int err = daq_start(daq_mod, daq_hand);
>> (gdb) s
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x000000000049feec in pcap_daq_start ()
>> (gdb) what daq_mod
>> type = const DAQ_Module_t *
>> (gdb) what daq_hand
>> type = void *
>> (gdb) display daq_hand
>> 1: daq_hand = (void *) 0x156c9c0
>> (gdb) display daq_mod
>> 2: daq_mod = (const DAQ_Module_t *) 0x4e6000
>>
>> And in the syslod, I got:
>> snort[24390]: segfault at 0000000000000010 rip 000000000049feec rsp
>> 00007fff03cf30f0 error 4
>>
>> Perhaps there's a security feature kicking in?
>>
>>
>> On Mon, 8 Nov 2010, vincent at ...15035... wrote:
>>
>>
>>> Hi Russ,
>>>
>>> On Mon, 8 Nov 2010, Russ Combs wrote:
>>>
>>>  I don't seem to have a --disable-remote for my libpcap 1.1.1 configure.
>>>>
>>>> What exactly does that do?
>>>>
>>>
>>> # ./configure --help|grep remot
>>>  --disable-remote        disable remote capture capabilities
>>>
>>
> Don't have this in my libpcap-1.1.1.
>
>
>>
>>> That's all I know. I don't know yet why it causes daq to crash snort when
>>> that support is compiled in. libpcap-1.0.0 didn't have these 'remote
>>> capture' features (I think).
>>>
>>>  I'm glad you've got a workaround but would like to figure out what the
>>>> issue is and fix the DAQ if needed.
>>>>
>>>
>>> Yes, so would I. Now that I got the binary distribution 'stabilized'
>>> enough, I can spend more time trying to figure out why it crashes under
>>> RHEL5.5 when 'remote capture' is enabled inside libpcap 1.1.1.
>>>
>>> Regards,
>>>
>>> Vincent
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101108/dd13d096/attachment.html>


More information about the Snort-users mailing list