Snort mailing list archives
Re: Error trying to read in tcpdump file
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 12 Jun 2001 22:21:59 -0400
I use FreeBSD and OpenBSD interchangably for development, they are very nice, stable development environments. I prefer OpenBSD as a sensor platform. In any case, Snort binary files written on a BSD system should be readable from just about any other operating system, whereas logs written on a linux box will be arbitrarily (depending on distro) incompatable with everything other than their distro. I'd recommend using editcap(1) that comes with ethereal to normalize packet logs that come off linux systems, it does a nice job of fixing the things that redhat breaks. -Marty Jason Lewis wrote:
Ok.... Which BSD distribution? I am working on documentation and How-To's for my install and RedHat is the corporate standard. I figured I would stay with it, so someone else can deal with it while I am on vacation. ;) It will also make it easy for those new to Snort. Anyone see any longterm problems? Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. -----Original Message----- From: roesch () mail sourcefire com [mailto:roesch () mail sourcefire com]On Behalf Of Martin Roesch Sent: Tuesday, June 12, 2001 9:51 AM To: jlewis () jasonlewis net Cc: 'Snort Mailing List' Subject: Re: [Snort-users] Error trying to read in tcpdump file Sorry, Redhat has a really bad tendency to mess with stuff and not tell anyone about it, they've been "sorta" compatable for a long time and they're getting worse about it (struct timeval anyone? how about their own private pcap extensions?). Redhat is the reason that I stopped developing on linux and switched to BSD. -Marty Jason Lewis wrote:HEY!!! No attacks on my distribution!! ;) Yes they are both RedHat. Now that you mention it, one is 2.4 and theotheris 2.2. jas -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Martin Roesch Sent: Monday, June 11, 2001 10:44 PM To: 'Snort Mailing List' Subject: Re: [Snort-users] Error trying to read in tcpdump file Is one of them a linux box and the other not (or worse yet, one of them a redhat box)? -Marty Jason Lewis wrote:DUH!!..... It looks like I am not using the same version of libpcap onbothservers. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Jason Lewis Sent: Monday, June 11, 2001 9:54 PM To: 'Snort Mailing List' Subject: [Snort-users] Error trying to read in tcpdump file --== Initializing Snort ==-- TCPDUMP file reading mode. Reading network traffic from "/home/jlewis/snort-0611 () 0231 log" file. snaplen = 1514 ERROR: OpenPcap() FSM compilation failed: unknown data link type 0x71 PCAP command: (null) Fatal Error, Quitting.. Here is the command I am using. /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -r /home/jlewis/snort-0611 () 0231 log What am I missing? I am ftping this from a remote sensor to my dbserverand trying to replay the file to populate the db. Jason Lewis http://www.packetnexus.com It's not secure "Because they told me it was secure". The people at the other end of the link know less about security than you do. And that's scary. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Guardian Neal Timm (Jun 11)
- <Possible follow-ups>
- Guardian Neal Timm (Jun 11)
- Error trying to read in tcpdump file Jason Lewis (Jun 11)
- RE: Error trying to read in tcpdump file Jason Lewis (Jun 11)
- Re: Error trying to read in tcpdump file Martin Roesch (Jun 11)
- RE: Error trying to read in tcpdump file Jason Lewis (Jun 12)
- Re: Error trying to read in tcpdump file Martin Roesch (Jun 12)
- RE: Error trying to read in tcpdump file Jason Lewis (Jun 12)
- Re: Error trying to read in tcpdump file Martin Roesch (Jun 12)
- Error trying to read in tcpdump file Jason Lewis (Jun 11)