Snort producing tcpdump unreadable binary files.

From: Lim Wee Guan (weeguan@hem.passagen.se)
Date: 05/29/02

• Next message: Kris Kennaway: "Re: Snort producing tcpdump unreadable binary files."
• Previous message: Retal: "Re: FreeBSD Security Notice FreeBSD-SN-02:03"
• Next in thread: Kris Kennaway: "Re: Snort producing tcpdump unreadable binary files."
• Reply: Kris Kennaway: "Re: Snort producing tcpdump unreadable binary files."
• Reply: John Ruff: "Re: Snort producing tcpdump unreadable binary files."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 29 May 2002 21:08:06 +0800
To: freebsd-security@freebsd.org
From: weeguan@hem.passagen.se (Lim Wee Guan)

Dear all,

I have started running snort on a firewall machine running FreeBSD
4.6-RC. It is made to log packets using tcpdump binary readable
format. i.e. using the -b flag.

However, after a while of logging, snort appears to go "crazy" and
logs apparently all packets (humongous log files are typical), and if
I attempt to read the binary file using tcpdump -r, I get this
message at the end of some valid packets: "tcpdump: pcap_loop: bogus
savefile header"

According to google, some guys had this problem is the past, but it
had to do with RedHat Linux machines, and the fact that they changed
the libpcap or something like that.

This is not RedHat, so what gives?

Any advice will be greatly appreciated, as I am currently logging in
ASCII, which is not exactly optimal for that slow, grunt machine...
;-)

Thanks and regards.

-- 
Lim, Wee Guan	         |      PGP Fingerprint
weeguan@myrealbox.com    |  430F EF64 2C43 A672 67B3
ICQ:   46537067	         |  BFE5 6DAA B0C1 E9B1 6332
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Kris Kennaway: "Re: Snort producing tcpdump unreadable binary files."
• Previous message: Retal: "Re: FreeBSD Security Notice FreeBSD-SN-02:03"
• Next in thread: Kris Kennaway: "Re: Snort producing tcpdump unreadable binary files."
• Reply: Kris Kennaway: "Re: Snort producing tcpdump unreadable binary files."
• Reply: John Ruff: "Re: Snort producing tcpdump unreadable binary files."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: DI-804 ... Have you tried running Snort or ... > TCPDump to see if you can log the actual data in the packets and determine ... useful information:) but thanx anyway ... (comp.security.firewalls) Re: ntpd fails to synchronize on FreeBSD 6.3-STABLE ... 12 packets received by filter ... Then let the tcpdump go for about 15 minutes. ... Firewall on my router/gateway is disabled, ... # shutdown -r now ... (freebsd-stable) Re: flooding an embedded device with isic and tcpreplay causing different results ... You can try use -nn option at tcpdump too, ... now I wondering why the tcpreplay attack don't f*** up the SOHO. ... The tcpdump isn't complete because of "dropped by kernel" packets - ... listening on eth0, link-type EN10MB, capture size ... (Pen-Test) Re: Should route, but doesnt ... > I bought the Netgear box last June. ... > Packets get from the RedHat 7.2 box to my LAN or to the Internet. ... You might find it useful to watch the packets with tcpdump, ... with the private subnets. ... (comp.os.linux.networking) RE: NFS regression? Odd delays and lockups accessing an NFS export. ... required length to catch whole packets." ... Odd delays and lockups accessing an NFS ... can you provide me with a binary tcpdump or wireshark dump? ... The kernel booted though, so that was okay. ... (Linux-Kernel)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2002-05