Snort producing tcpdump unreadable binary files.

From: Lim Wee Guan (weeguan@hem.passagen.se)
Date: 05/29/02


Date: Wed, 29 May 2002 21:08:06 +0800
To: freebsd-security@freebsd.org
From: weeguan@hem.passagen.se (Lim Wee Guan)

Dear all,

I have started running snort on a firewall machine running FreeBSD
4.6-RC. It is made to log packets using tcpdump binary readable
format. i.e. using the -b flag.

However, after a while of logging, snort appears to go "crazy" and
logs apparently all packets (humongous log files are typical), and if
I attempt to read the binary file using tcpdump -r, I get this
message at the end of some valid packets: "tcpdump: pcap_loop: bogus
savefile header"

According to google, some guys had this problem is the past, but it
had to do with RedHat Linux machines, and the fact that they changed
the libpcap or something like that.

This is not RedHat, so what gives?

Any advice will be greatly appreciated, as I am currently logging in
ASCII, which is not exactly optimal for that slow, grunt machine...
;-)

Thanks and regards.

-- 
Lim, Wee Guan	         |      PGP Fingerprint
weeguan@myrealbox.com    |  430F EF64 2C43 A672 67B3
ICQ:   46537067	         |  BFE5 6DAA B0C1 E9B1 6332
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message