Re: Snort producing tcpdump unreadable binary files.

From: John Ruff (john@dndlabs.net)
Date: 05/31/02

• Next message: John Ruff: "Re: Nmap/Snort"
• Previous message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-02:27.rc"
• In reply to: Lim Wee Guan: "Snort producing tcpdump unreadable binary files."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: John Ruff <john@dndlabs.net>
To: weeguan@hem.passagen.se (Lim Wee Guan), freebsd-security@freebsd.org
Date: Thu, 30 May 2002 20:40:03 -0400

You should actually be using "snort -r" to read the files and not "tcpdump
-r".

--
GnuPG Public Key: https://www.dndlabs.net/pgpkey/listing.php
Key Fingerprint = 73D0 EDCC D5ED A6C0 1324  A85E 4957 D3C6 FA6C F3AE
On Wednesday 29 May 2002 09:08, Lim Wee Guan wrote:
> Dear all,
>
> I have started running snort on a firewall machine running FreeBSD
> 4.6-RC. It is made to log packets using tcpdump binary readable
> format. i.e. using the -b flag.
>
> However, after a while of logging, snort appears to go "crazy" and
> logs  apparently all packets (humongous log files are typical), and if
> I attempt to read the binary file using tcpdump -r, I get this
> message at the end of some valid packets: "tcpdump: pcap_loop: bogus
> savefile header"
>
> According to google, some guys had this problem is the past, but it
> had to do with RedHat Linux machines, and the fact that they changed
> the libpcap or something like that.
>
> This is not RedHat, so what gives?
>
> Any advice will be greatly appreciated, as I am currently logging in
> ASCII, which is not exactly optimal for that slow, grunt machine...
> ;-)
>
> Thanks and regards.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: John Ruff: "Re: Nmap/Snort"
• Previous message: Jacques A. Vidrine: "Re: FreeBSD Security Advisory FreeBSD-SA-02:27.rc"
• In reply to: Lim Wee Guan: "Snort producing tcpdump unreadable binary files."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Slickest way to capture all packets inbound and outbound for a specific IP address, or range? ... You could run snort in tcpdump modethen do a tcpdump on the snort log ... outbound for a specific IP address or range of IP addresses would be? ... - Precisely Define and Implement Network Security ... (Security-Basics) Re: two sniffers on the same eth ifc performance impact? ... What about just saving the tcpdump to file and piping output to snort. ... the entire packet if necessary. ... > Do You Yahoo!? ... (Focus-IDS) Re: two sniffers on the same eth ifc performance impact? ... Snort also has the capability to save tcpdump files on the fly. ... Subject: Re: two sniffers on the same eth ifc performance ... the entire packet if necessary. ... (Focus-IDS) Re: packet capture ... >Subject: Re: packet capture ... >I agree tcpdump -w somefile is great. ... >format, so you can process it later with tcpdump, snort, ngrep, or ... >Then snort for analyzing the packets (okay tcpdump does this too, ... (Security-Basics) Re: [Snort-users] Snort DoS Fallacies ... If "a lot of people" are logging in ASCII mode then nobody is reading ... NO PRODUCTION SNORT DEPLOYMENT SHOULD EVER ... then that's no longer a production sensor, ... (Bugtraq)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint