[Snort-users] ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0

Al Lewis (allewi) allewi at ...589...
Wed Nov 30 07:52:09 EST 2016


Hello Scott,

	To start snort “inline” you need to two interfaces. Based on what you have below there is only one being used.

Do you see any packets within your exit stats? 

Do you have a rule setup to alert on the icmp traffic? (Snort will only log things that should be alerted on when using IDS mode)



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi at ...589... 







On 11/30/16, 7:29 AM, "Scott Thomas" <scott_pin at ...131...> wrote:

>This may be from being a newbie, but I see other indications of folks with a similar issue, but no solutions that have solved it for me.
>
>I have searched the list via web and found a post of 5 October 2016 with a similar subject, but no resolution. I am running almost the identical setup.
>
>Snort is on a Debian Jessie (8.6.0) vm (kvm).
>
>I have configured my system per the doc Snort_2.9.8.x_on_Ubuntu_12-14-15.pdf (except for some path differences).
>
>When I start snort inline (with sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0) it starts as expected, silently listening. I ping the IP of the vm system from another box, but there is no output on the console.
>
>Checking the log:
>
>sudo snort -r /var/log/snort/snort.log 
>Running in packet dump mode
>
>        --== Initializing Snort ==--
>Initializing Output Plugins!
>pcap DAQ configured to read-file.
>ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0
>Fatal Error, Quitting..
>
>As with the poster in the prior thread, I can find nothing in the archives or an online search that helps me solve this.
>
>Please help!
>
>Thank you in advance,
>
>Scott
>------------------------------------------------------------------------------
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
>Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list