Date: Thu, 30 May 2002 20:40:03 -0400 From: John Ruff <john@dndlabs.net> To: weeguan@hem.passagen.se (Lim Wee Guan), freebsd-security@freebsd.org Subject: Re: Snort producing tcpdump unreadable binary files. Message-ID: <200205302040.03264.john@dndlabs.net> In-Reply-To: <20020529210806.A29200@nexus> References: <20020529210806.A29200@nexus>
next in thread | previous in thread | raw e-mail | index | archive | help
You should actually be using "snort -r" to read the files and not "tcpdum= p=20 -r". -- GnuPG Public Key: https://www.dndlabs.net/pgpkey/listing.php Key Fingerprint =3D 73D0 EDCC D5ED A6C0 1324 A85E 4957 D3C6 FA6C F3AE On Wednesday 29 May 2002 09:08, Lim Wee Guan wrote: > Dear all, > > I have started running snort on a firewall machine running FreeBSD > 4.6-RC. It is made to log packets using tcpdump binary readable > format. i.e. using the -b flag. > > However, after a while of logging, snort appears to go "crazy" and > logs apparently all packets (humongous log files are typical), and if > I attempt to read the binary file using tcpdump -r, I get this > message at the end of some valid packets: "tcpdump: pcap_loop: bogus > savefile header" > > According to google, some guys had this problem is the past, but it > had to do with RedHat Linux machines, and the fact that they changed > the libpcap or something like that. > > This is not RedHat, so what gives? > > Any advice will be greatly appreciated, as I am currently logging in > ASCII, which is not exactly optimal for that slow, grunt machine... > ;-) > > Thanks and regards. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205302040.03264.john>