<div dir="ltr"><br><div class="gmail_extra">To Waldo Kitty,<br><br><br></div><div class="gmail_extra">I found an answer already. I have to use "-i" option too to force snort to use my LAN Interface instead of NFLOG interface which is the first interface that tcpdump  use.<br>
<br></div><div class="gmail_extra">I know this thing from running "tcpdump -D"<br></div><div class="gmail_extra"><br><div class="gmail_quote">2014-08-23 10:56 GMT+07:00 Jutichai Thongkrachai <span dir="ltr"><<a href="mailto:thsecmaniac@...11827..." target="_blank">thsecmaniac@...11827...</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I still get that error<br><div><div><div class="gmail_extra"><br></div><div class="gmail_extra">I try to uninstall it with "make uninstall" and install again with "./configure  --enable-non-ether-decoders  --enable-sourcefire" but I still get that error<br>

<br></div><div class="gmail_extra">I don't know this is a usual message that get while install. I get some message while run "make install:<br><br>Making install in etc<br>make[1]: Entering directory `/usr/local/src/snort-2.9.6.2/etc'<br>

make[2]: Entering directory `/usr/local/src/snort-2.9.6.2/etc'<br>make[2]: Nothing to be done for `install-exec-am'.<br>make[2]: Nothing to be done for `install-data-am'.<br>make[2]: Leaving directory `/usr/local/src/snort-2.9.6.2/etc'<br>

make[1]: Leaving directory `/usr/local/src/snort-2.9.6.2/etc'<br>Making install in templates<br><br><br></div><div class="gmail_extra">moreover, my centos use "enp2s0" as my LAN interface<br></div><div class="gmail_extra">

<br></div><div class="gmail_extra"><br><div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="">From: waldo kitty <<a href="mailto:wkitty42@...14940..." target="_blank">wkitty42@...14940...</a>><br>

To: <a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a><br>Cc: <br></div>Date: Thu, 21 Aug 2014 17:58:33 -0400<div class=""><br>Subject: Re: [Snort-users] Got the "ERROR: Cannot decode data link type 239" message when turn on sniffer mode<br>
</div><div class="">
On 8/21/2014 5:08 AM, Jutichai Thongkrachai wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
To Waldo kitty,<br>
<br>
<br>
after run " ./configure  --enable-non-ether-decoders  --enable-sourcefire",<br>
Should I need run " make ;make install" again?<br>
</blockquote>
<br></div>
yes... maybe with "make clean" first...<br>
<br>
configure only configures the compile environment so that make can compile everything with the proper make values...<div class=""><br>
<br>
-- <br>
 NOTE: No off-list assistance is given without prior approval.<br>
       Please *keep mailing list traffic on the list* unless<br>
       private contact is specifically requested and granted.<br>
<br>
<br>
<br></div><div class="">------------------------------------------------------------------------------<br>
Slashdot TV.<br>
Video for Nerds.  Stuff that matters.<br>
<a href="http://tv.slashdot.org/" target="_blank">http://tv.slashdot.org/</a><br>_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
<br></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div></div>