[Snort-users] ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0

Scott Thomas scott_pin at ...131...
Wed Nov 30 07:59:20 EST 2016


Hello Al,

Thank you for this response.

I do not see any packets within the exit status, and I do have a rule to alert on icmp (copied from the pdf guide).

However, I do not have two interfaces. I’ll see if I can get that set up and test it further.

Thank you!

Scott

> On Nov 30, 2016, at 7:52 AM, Al Lewis (allewi) <allewi at ...589...> wrote:
> 
> Hello Scott,
> 
> 	To start snort “inline” you need to two interfaces. Based on what you have below there is only one being used.
> 
> Do you see any packets within your exit stats? 
> 
> Do you have a rule setup to alert on the icmp traffic? (Snort will only log things that should be alerted on when using IDS mode)
> 
> 
> 
> Albert Lewis
> ENGINEER.SOFTWARE ENGINEERING
> SOURCEfire, Inc. now part of Cisco
> Email: allewi at ...589... 
> 
> 
> 
> 
> 
> 
> 
> On 11/30/16, 7:29 AM, "Scott Thomas" <scott_pin at ...131...> wrote:
> 
>> This may be from being a newbie, but I see other indications of folks with a similar issue, but no solutions that have solved it for me.
>> 
>> I have searched the list via web and found a post of 5 October 2016 with a similar subject, but no resolution. I am running almost the identical setup.
>> 
>> Snort is on a Debian Jessie (8.6.0) vm (kvm).
>> 
>> I have configured my system per the doc Snort_2.9.8.x_on_Ubuntu_12-14-15.pdf (except for some path differences).
>> 
>> When I start snort inline (with sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i eth0) it starts as expected, silently listening. I ping the IP of the vm system from another box, but there is no output on the console.
>> 
>> Checking the log:
>> 
>> sudo snort -r /var/log/snort/snort.log 
>> Running in packet dump mode
>> 
>>       --== Initializing Snort ==--
>> Initializing Output Plugins!
>> pcap DAQ configured to read-file.
>> ERROR: Can't initialize DAQ pcap (-1) - truncated dump file; tried to read 4 file header bytes, only got 0
>> Fatal Error, Quitting..
>> 
>> As with the poster in the prior thread, I can find nothing in the archives or an online search that helps me solve this.
>> 
>> Please help!
>> 
>> Thank you in advance,
>> 
>> Scott
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list