[Snort-users] DAQ and libpcap 1.1.1 vs 1.0.0

vincent at ...15035... vincent at ...15035...
Tue Nov 9 04:50:49 EST 2010


On Mon, 8 Nov 2010, Russ Combs wrote:

> Did you enable debug on your DAQ build (-g -O0)?
> 
> I don't have --disable-remote (or anything "remote") with libpcap-1.1.1.

Hi Russ,

You are right. The libpcap I was passed by a trustable 3rd-party was a 
modified 1.1.1 with remote packet capture 
(http://www.liberouter.org/nific/usecases/rpcap/rpcap.php). I'm reverting 
to standard libpcap and will push new rpms really soon.

Thank you,

Vincent

> On Mon, Nov 8, 2010 at 2:55 PM, Russ Combs <rcombs at ...1935...> wrote:
> 
>
>       On Mon, Nov 8, 2010 at 12:35 PM, <vincent at ...15035...> wrote:
>
>       Hi Russ,
>
>       On my RHEL5.5 system, the following CFLAGS are passed to libpcap's configure:
>
>       + CFLAGS='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
>       + ./configure --prefix=/usr/libpcap1 --enable-ipv6 --without-libnl
>
>       I recompiled without --disable-remote and ran gdb on snort.
>       Running gdb on this build wasn't very informative:
> 
> 
> Did you build the DAQ with debug support (-g -O0)?
>  
>       (gdb) set args -i eth0
>       (gdb) r
>       Starting program: /usr/sbin/snort-plain -i eth0
>       [Thread debugging using libthread_db enabled]
>       Running in packet dump mode
>
>              --== Initializing Snort ==--
>       Initializing Output Plugins!
>       pcap DAQ configured to passive.
>       Acquiring network traffic from "eth0".
>
>       Program received signal SIGSEGV, Segmentation fault.
>       0x000000000049feec in pcap_daq_start ()
>       (gdb) bt
>       #0  0x000000000049feec in pcap_daq_start ()
>       #1  0x0000000000438624 in DAQ_Start () at ../../src/sfdaq.c:414
>       #2  0x0000000000424bda in SnortMain (argc=3, argv=0x7fffffffe7e8) at ../../src/snort.c:712
>       #3  0x0000003536e1d994 in __libc_start_main () from /lib64/libc.so.6
>       #4  0x0000000000404359 in _start ()
>       (gdb) b DAQ_Start
>       Breakpoint 1 at 0x438610: file ../../src/sfdaq.c, line 414.
>       (gdb) r
>       The program being debugged has been started already.
>       Start it from the beginning? (y or n) y
>       Starting program: /usr/sbin/snort-plain -i eth0
>       [Thread debugging using libthread_db enabled]
>       Running in packet dump mode
>
>              --== Initializing Snort ==--
>       Initializing Output Plugins!
>       pcap DAQ configured to passive.
>       Acquiring network traffic from "eth0".
>
>       Breakpoint 1, DAQ_Start () at ../../src/sfdaq.c:414
>       414         int err = daq_start(daq_mod, daq_hand);
>       (gdb) s
>       413     {
>       (gdb) s
>       414         int err = daq_start(daq_mod, daq_hand);
>       (gdb) s
>
>       Program received signal SIGSEGV, Segmentation fault.
>       0x000000000049feec in pcap_daq_start ()
>       (gdb) what daq_mod
>       type = const DAQ_Module_t *
>       (gdb) what daq_hand
>       type = void *
>       (gdb) display daq_hand
>       1: daq_hand = (void *) 0x156c9c0
>       (gdb) display daq_mod
>       2: daq_mod = (const DAQ_Module_t *) 0x4e6000
>
>       And in the syslod, I got:
>       snort[24390]: segfault at 0000000000000010 rip 000000000049feec rsp 00007fff03cf30f0 error 4
>
>       Perhaps there's a security feature kicking in?
> 
> 
> On Mon, 8 Nov 2010, vincent at ...15035... wrote:
> 
>
>       Hi Russ,
>
>       On Mon, 8 Nov 2010, Russ Combs wrote:
>
>             I don't seem to have a --disable-remote for my libpcap 1.1.1 configure.
>
>             What exactly does that do?
> 
>
>       # ./configure --help|grep remot
>        --disable-remote        disable remote capture capabilities
> 
> 
> Don't have this in my libpcap-1.1.1.
>  
>
>             That's all I know. I don't know yet why it causes daq to crash snort when
>             that support is compiled in. libpcap-1.0.0 didn't have these 'remote
>             capture' features (I think).
>
>                   I'm glad you've got a workaround but would like to figure out what the issue is and fix the DAQ if needed.
> 
>
>             Yes, so would I. Now that I got the binary distribution 'stabilized'
>             enough, I can spend more time trying to figure out why it crashes under
>             RHEL5.5 when 'remote capture' is enabled inside libpcap 1.1.1.
>
>             Regards,
>
>             Vincent
> 
> 
> 
> 
>

-- 
,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,
Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote  _.,-*~'`^`'~*-,._ coyote at ...15041...

They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places.       - Robert Frost



More information about the Snort-users mailing list