Snort producing tcpdump unreadable binary files.

From: Lim Wee Guan (weeguan@hem.passagen.se)
Date: 05/29/02


Date: Wed, 29 May 2002 21:08:06 +0800
To: freebsd-security@freebsd.org
From: weeguan@hem.passagen.se (Lim Wee Guan)

Dear all,

I have started running snort on a firewall machine running FreeBSD
4.6-RC. It is made to log packets using tcpdump binary readable
format. i.e. using the -b flag.

However, after a while of logging, snort appears to go "crazy" and
logs apparently all packets (humongous log files are typical), and if
I attempt to read the binary file using tcpdump -r, I get this
message at the end of some valid packets: "tcpdump: pcap_loop: bogus
savefile header"

According to google, some guys had this problem is the past, but it
had to do with RedHat Linux machines, and the fact that they changed
the libpcap or something like that.

This is not RedHat, so what gives?

Any advice will be greatly appreciated, as I am currently logging in
ASCII, which is not exactly optimal for that slow, grunt machine...
;-)

Thanks and regards.

-- 
Lim, Wee Guan	         |      PGP Fingerprint
weeguan@myrealbox.com    |  430F EF64 2C43 A672 67B3
ICQ:   46537067	         |  BFE5 6DAA B0C1 E9B1 6332
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: DI-804
    ... Have you tried running Snort or ... > TCPDump to see if you can log the actual data in the packets and determine ... useful information:) but thanx anyway ...
    (comp.security.firewalls)
  • Re: ntpd fails to synchronize on FreeBSD 6.3-STABLE
    ... 12 packets received by filter ... Then let the tcpdump go for about 15 minutes. ... Firewall on my router/gateway is disabled, ... # shutdown -r now ...
    (freebsd-stable)
  • Re: flooding an embedded device with isic and tcpreplay causing different results
    ... You can try use -nn option at tcpdump too, ... now I wondering why the tcpreplay attack don't f*** up the SOHO. ... The tcpdump isn't complete because of "dropped by kernel" packets - ... listening on eth0, link-type EN10MB, capture size ...
    (Pen-Test)
  • Re: Should route, but doesnt
    ... > I bought the Netgear box last June. ... > Packets get from the RedHat 7.2 box to my LAN or to the Internet. ... You might find it useful to watch the packets with tcpdump, ... with the private subnets. ...
    (comp.os.linux.networking)
  • Re: isc-dhcp-server not receiving DHCPDISCOVER
    ... Wireshark is good for interpreting the contents of the packets. ... The biggest thing about tcpdump is that there will almost always be ... Sometimes lots of noise. ... "not port foo" ignores that port. ...
    (Debian-User)