[Snort-users] pcap DAQ does not support inline

Y M snort at ...15979...
Wed Apr 24 10:20:00 EDT 2013

The two interfaces will be used by Snort, you will need a third interface for management, i.e.: ssh, database, etc.

Also don't forget to set the daq mode, look for --daq-mode

I haven't used ipfw, so i can't add on that.

Please, when you reply, reply to the entire list, everybody benefits :)
From: Joao Daniel Neves<mailto:joaodanielnevesss at ...125...>
Sent: ‎4/‎24/‎2013 4:28 PM
To: Y M<mailto:snort at ...15979...>
Subject: RE: [Snort-users] pcap DAQ does not support inline



/usr/local/bin/snort  —daq afpacket -Q -c /etc/snort/snort.conf -i eth0:eth1

I'm using this line to start snort. As I searched afpacket need two interfaces:

"In order to have an inline deployment you need at least one pair of interfaces for the traffic to flow through. To that end, you need to specify a second interface for AFPacket to use to complete the bridge."

But for some reason when I used two interfaces things got weired. I lost SSH acess to snort. I think that the reason is because the traffic flow through one interface to another. Do you have some clues about this issue ?

My avaliable daq modules are

pcap(v3): readback live multi unpriv
ipfw(v2): live inline multi unpriv
dump(v1): readback live inline multi unpriv
afpacket(v4): live inline multi unpriv

With module can I use to enable in line module without needing to specify two interfaces?
I think that it would be ipfw, but as far as I know ipfw is for bsd and I'm not using bsd.

To: joaodanielnevesss at ...125...; snort-users at lists.sourceforge.net
From: snort at ...15979...
Subject: RE: [Snort-users] pcap DAQ does not support inline
Date: Mon, 22 Apr 2013 18:56:45 +0300

pcap does not support inline mode, it is meant for passive mode only. Instead, use afpacket for inline mode.

To make sure it is installed, run Snort as

snort --daq-list

This will return a list of the installed daq modules.

Joao Daniel Neves

‎4/‎22/‎2013 6:47 PM

snort-users at lists.sourceforge.net

[Snort-users] pcap DAQ does not support inline


I'm getting this error when running Snort in inline mode "ERROR: pcap DAQ does not support inline". I have searched on Google, but did not get any thing usefull. The point is I don't even know why this happening.

What do you suggest ?

Some informations for debugging:

My daq dir is /usr/local/lib/daq

ls /usr/local/lib/daq









I tryed to start Snort with

/usr/local/bin/snort -Q -i eth1 --daq-dir /usr/local/lib/daq/ -c /etc/snort/snort.conf

/usr/local/bin/snort -Q -de *--daq nfq* --daq-dir /usr/local/lib/daq -c /etc/snort/snort.conf

/usr/local/bin/snort  —daq pcap -Q -c /etc/snort/snort.conf -i eth0:eth1

/usr/local/bin/snort -Q -c /etc/snort/snort.conf -i eth0:eth1

None of them worked.

Some more informations

















Maybe those multiple versions of pcap are causing the error ?

Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130424/42d55c44/attachment.html>

More information about the Snort-users mailing list