[Snort-users] ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0

Scott Thomas scott_pin at ...131...
Wed Nov 30 07:29:14 EST 2016


This may be from being a newbie, but I see other indications of folks with a similar issue, but no solutions that have solved it for me.

I have searched the list via web and found a post of 5 October 2016 with a similar subject, but no resolution. I am running almost the identical setup.

Snort is on a Debian Jessie (8.6.0) vm (kvm).

I have configured my system per the doc Snort_2.9.8.x_on_Ubuntu_12-14-15.pdf (except for some path differences).

When I start snort inline (with sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0) it starts as expected, silently listening. I ping the IP of the vm system from another box, but there is no output on the console.

Checking the log:

sudo snort -r /var/log/snort/snort.log 
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to read-file.
ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0
Fatal Error, Quitting..

As with the poster in the prior thread, I can find nothing in the archives or an online search that helps me solve this.

Please help!

Thank you in advance,

Scott



More information about the Snort-users mailing list