Re: Snort producing tcpdump unreadable binary files.

From: John Ruff (john@dndlabs.net)
Date: 05/31/02 

From: John Ruff <john@dndlabs.net>
To: weeguan@hem.passagen.se (Lim Wee Guan), freebsd-security@freebsd.org
Date: Thu, 30 May 2002 20:40:03 -0400

You should actually be using "snort -r" to read the files and not "tcpdump
-r". 

--
GnuPG Public Key: https://www.dndlabs.net/pgpkey/listing.php
Key Fingerprint = 73D0 EDCC D5ED A6C0 1324  A85E 4957 D3C6 FA6C F3AE
On Wednesday 29 May 2002 09:08, Lim Wee Guan wrote:
> Dear all,
>
> I have started running snort on a firewall machine running FreeBSD
> 4.6-RC. It is made to log packets using tcpdump binary readable
> format. i.e. using the -b flag.
>
> However, after a while of logging, snort appears to go "crazy" and
> logs  apparently all packets (humongous log files are typical), and if
> I attempt to read the binary file using tcpdump -r, I get this
> message at the end of some valid packets: "tcpdump: pcap_loop: bogus
> savefile header"
>
> According to google, some guys had this problem is the past, but it
> had to do with RedHat Linux machines, and the fact that they changed
> the libpcap or something like that.
>
> This is not RedHat, so what gives?
>
> Any advice will be greatly appreciated, as I am currently logging in
> ASCII, which is not exactly optimal for that slow, grunt machine...
> ;-)
>
> Thanks and regards.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages