From owner-freebsd-security  Wed May 29  6: 8:19 2002
Delivered-To: freebsd-security@freebsd.org
Received: from smtp21.singnet.com.sg (smtp21.singnet.com.sg [165.21.101.201])
	by hub.freebsd.org (Postfix) with ESMTP id 7A12637B400
	for <freebsd-security@freebsd.org>; Wed, 29 May 2002 06:08:13 -0700 (PDT)
Received: from cerebus.weeguan.nu (bb-203-125-68-14.singnet.com.sg [203.125.68.14])
	by smtp21.singnet.com.sg (8.12.3/8.12.3) with ESMTP id g4TD8CTr002394
	for <freebsd-security@freebsd.org>; Wed, 29 May 2002 21:08:12 +0800
Received: from nexus.weeguan.nu (nexus.weeguan.nu [192.168.0.1])
	by cerebus.weeguan.nu (Postfix) with ESMTP id 2C8C63D50
	for <freebsd-security@freebsd.org>; Wed, 29 May 2002 21:08:56 +0800 (SGT)
Received: by nexus.weeguan.nu (Postfix, from userid 1001)
	id 734E65D20; Wed, 29 May 2002 21:08:06 +0800 (SGT)
Date: Wed, 29 May 2002 21:08:06 +0800
To: freebsd-security@freebsd.org
Subject: Snort producing tcpdump unreadable binary files.
Message-ID: <20020529210806.A29200@nexus>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
X-Operating-System: FreeBSD 4.6-RC
From: weeguan@hem.passagen.se (Lim Wee Guan)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Dear all,

I have started running snort on a firewall machine running FreeBSD
4.6-RC. It is made to log packets using tcpdump binary readable
format. i.e. using the -b flag.

However, after a while of logging, snort appears to go "crazy" and
logs  apparently all packets (humongous log files are typical), and if
I attempt to read the binary file using tcpdump -r, I get this
message at the end of some valid packets: "tcpdump: pcap_loop: bogus
savefile header" 

According to google, some guys had this problem is the past, but it
had to do with RedHat Linux machines, and the fact that they changed
the libpcap or something like that.

This is not RedHat, so what gives?

Any advice will be greatly appreciated, as I am currently logging in
ASCII, which is not exactly optimal for that slow, grunt machine...
;-) 

Thanks and regards.


-- 
Lim, Wee Guan	         |      PGP Fingerprint
weeguan@myrealbox.com    |  430F EF64 2C43 A672 67B3
ICQ:   46537067	         |  BFE5 6DAA B0C1 E9B1 6332


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message