[Snort-users] Snort 2.9.0.3 & Phil Wood's modified libpcap

Michael Scheidell michael.scheidell at ...8144...
Tue Feb 8 12:03:22 EST 2011


minor fixed.. just grep for and patch it yourself.

bet patch fails due to spaces/vs tabs

only critical line is this one: (note, yep, you want the VALUE, not the 
key :-)
and make sure that any kernel conf stuff allows you to pull a bpf buffer 
that big.
10mb seems to do a great job.

        context->buffer_size = strtol(entry->key, NULL, 10);

change to:
        context->buffer_size = strtol(entry->value, NULL, 10);
  



On 2/8/11 12:00 PM, Weir, Jason wrote:
> hmm my patching foo needs work any ideas?
> /usr/src/daq-0.5/os-daq-modules# patch -p1 <patch.daq_pcap.c
> patching file daq_pcap.c2011-02-01
> Hunk #1 FAILED at 39.
> Hunk #2 FAILED at 216.
> 2 out of 2 hunks FAILED -- saving rejects to file daq_pcap.c2011-02-01.rej
>
> -J
>
>     -----Original Message-----
>     *From:* Michael Scheidell [mailto:michael.scheidell at ...8144...]
>     *Sent:* Tuesday, February 08, 2011 10:59 AM
>     *To:* Weir, Jason
>     *Cc:* snort-users at lists.sourceforge.net
>     *Subject:* Re: [Snort-users] Snort 2.9.0.3 & Phil Wood's modified
>     libpcap
>
>     On 2/8/11 10:54 AM, Weir, Jason wrote:
>>     Ok - I'll bite, where do I get the latest daq version, looks like
>>     snort.org only has 0.5...
>>     -J
>>
>     small patch, published on this list: 2/1/11, 2:06 ET, subject
>     'freebsd/snort 2.9.0.3 daq: how do I verity if is using ram.
>
>     author xiche at ...3147...:
>
>     --- os-daq-modules/daq_pcap.c.orig	2011-01-30 15:28:19.000000000 -0500
>     +++ os-daq-modules/daq_pcap.c	2011-02-01 14:03:08.000000000 -0500
>     @@ -39,7 +39,7 @@
>
>       #include "daq_api.h"
>
>     -#define DAQ_PCAP_VERSION 3
>     +#define DAQ_PCAP_VERSION 4
>
>       typedef struct _pcap_context
>       {
>     @@ -216,7 +216,7 @@ static int pcap_daq_initialize(const DAQ
>           for (entry = config->values; entry; entry = entry->next)
>           {
>               if (!strcmp(entry->key, "buffer_size"))
>     -            context->buffer_size = strtol(entry->key, NULL, 10);
>     +            context->buffer_size = strtol(entry->value, NULL, 10);
>           }
>           /* Try to account for legacy PCAP_FRAMES environment variable if we weren't passed a buffer size. */
>           if (context->buffer_size == 0)
>
>     -- 
>     Michael Scheidell, CTO
>
> _____________________________________________________________________________________________
>
> Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110208/95d8142e/attachment.html>


More information about the Snort-users mailing list