[Snort-users] Not receiving packets

Wayne Andersen waynea at ...16653...
Mon Jan 6 19:35:20 EST 2014


I have a new install of snort, I have compiled daq and snort from sources.

I just used the default configure directives and received no errors.

When I run snort everything checks out and operates perfectly except 
that it is not reading any packets from any of my interfaces, eth0 or eth1.

-T reports everything good.

I can capture packets using tcpdump no problem,
and in fact I can capture from either interface to a file and then run 
snort with 'snort -r capture_file -c /etc/snort/snort.conf' and it works 
and alerts as expected.

snort -i eth0 -c /etc/snort/snort.conf nothing
snort -i eth1 -c /etc/snort/snort.conf nothing
tcpdump -i eth0 -w capture_file works
tcpdump -i eth1 -w capture_file works
snort -r capture_file -c /etc/snort/snort.conf works

I have a test rule that alerts on all http traffic, so it is not hard to 
get an alert.
Somehow I don't think DAQ is working properly, daq dump gives me nothing.

snort -i em2 --daq dump
Running in packet dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
dump DAQ configured to passive.
Acquiring network traffic from "eth1".
Decoding Ethernet

         --== Initialization Complete ==--

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.5.6 GRE (Build 208)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.5.0
            Using PCRE version: 8.33 2013-05-28
            Using ZLIB version: 1.2.8

Commencing packet processing (pid=1466)

Any ideas?

-- 
Wayne Andersen





More information about the Snort-users mailing list