From owner-freebsd-security  Thu May 30 17:43:22 2002
Delivered-To: freebsd-security@freebsd.org
Received: from notes.dndlabs.net (rdu88-251-049.nc.rr.com [24.88.251.49])
	by hub.freebsd.org (Postfix) with ESMTP id BE15837B409
	for <freebsd-security@freebsd.org>; Thu, 30 May 2002 17:42:54 -0700 (PDT)
Received: from ronin ([192.168.1.103])
          by notes.dndlabs.net (Lotus Domino Build M12_02042002 Pre-release 1)
          with ESMTP id 2002053020404978-1527 ;
          Thu, 30 May 2002 20:40:49 -0400 
From: John Ruff <john@dndlabs.net>
To: weeguan@hem.passagen.se (Lim Wee Guan),
	freebsd-security@freebsd.org
Subject: Re: Snort producing tcpdump unreadable binary files.
Date: Thu, 30 May 2002 20:40:03 -0400
X-Mailer: KMail [version 1.4]
References: <20020529210806.A29200@nexus>
In-Reply-To: <20020529210806.A29200@nexus>
MIME-Version: 1.0
Message-Id: <200205302040.03264.john@dndlabs.net>
X-MIMETrack: Itemize by SMTP Server on TRINITY/DNDLABS(Build M12_02042002 Pre-release 1|February
 04, 2002) at 05/30/2002 08:40:49 PM,
	Serialize by Router on TRINITY/DNDLABS(Build M12_02042002 Pre-release 1|February
 04, 2002) at 05/30/2002 08:40:57 PM,
	Serialize complete at 05/30/2002 08:40:57 PM
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
  charset="iso-8859-1"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

You should actually be using "snort -r" to read the files and not "tcpdum=
p=20
-r".
--
GnuPG Public Key: https://www.dndlabs.net/pgpkey/listing.php
Key Fingerprint =3D 73D0 EDCC D5ED A6C0 1324  A85E 4957 D3C6 FA6C F3AE

On Wednesday 29 May 2002 09:08, Lim Wee Guan wrote:
> Dear all,
>
> I have started running snort on a firewall machine running FreeBSD
> 4.6-RC. It is made to log packets using tcpdump binary readable
> format. i.e. using the -b flag.
>
> However, after a while of logging, snort appears to go "crazy" and
> logs  apparently all packets (humongous log files are typical), and if
> I attempt to read the binary file using tcpdump -r, I get this
> message at the end of some valid packets: "tcpdump: pcap_loop: bogus
> savefile header"
>
> According to google, some guys had this problem is the past, but it
> had to do with RedHat Linux machines, and the fact that they changed
> the libpcap or something like that.
>
> This is not RedHat, so what gives?
>
> Any advice will be greatly appreciated, as I am currently logging in
> ASCII, which is not exactly optimal for that slow, grunt machine...
> ;-)
>
> Thanks and regards.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message