HPE Community
Operating System - HP-UX
1825719 Members
3071 Online
109686 Solutions
New Discussion

Snort OpenPcap error

 
Bosco Tsang
Valued Contributor

‎09-06-2002 05:32 AM

‎09-06-2002 05:32 AM

Snort OpenPcap error

I am trying to run Snort but have the following error. There should be no other application running/using OpenPcap and in fact, I've just install libpcap right before installing snort. Any idea what happen? and how can I make it to work?

--
Sep 6 09:35:28 syslog: Initializing daemon mode
Sep 6 09:35:28 syslog: FATAL ERROR: ERROR: OpenPcap() device lan0 open:
0 Kudos
Reply
5 REPLIES 5
Ron Kinner
Honored Contributor

‎09-06-2002 06:42 AM

‎09-06-2002 06:42 AM

Re: Snort OpenPcap error

There should be more to the error message. It's not necessarily telling you that OpenPcap() or lan0 is in use - just that OpenPcap() had a problem trying to open lan0. Maybe you need to turn on debug to see all of it?

There are two errors mentioned on the web:

recv_ack: promisc_phys: Invalid argument

"if you run snort and receive the error message
"ERROR: OpenPcap() device lan0 open:
recv_ack: promisc_phys: Invalid argument"
it's because there's another program running using the DLPI service.
The HP-UX implementation doesn't allow more than one libpcap program
at a time to run, unlike Linux."

can't find PPA for /dev/lan0

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=3A06E84C.2000109%40rsn.hp.com&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3D%2522OpenPcap()%2Bdevice%2Blan0%2Bopen%2522%26sa%3DN%26tab%3Dwg



Ron
0 Kudos
Reply
Bosco Tsang
Valued Contributor

‎09-06-2002 09:09 AM

‎09-06-2002 09:09 AM

Re: Snort OpenPcap error

How can I turn on debug? There is no such option. The following is the additional error when I run snort. The libpcap library is the latest already. Any idea what happen?

--== Initializing Snort ==--
Decoding Ethernet on interface lan0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!
Parsing Rules file /usr/local/etc/snort.conf

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Stream4 config:
Stateful inspection: ACTIVE
Session statistics: INACTIVE
Session timeout: 30 seconds
Session memory cap: 8388608 bytes
State alerts: INACTIVE
Scan alerts: ACTIVE
Log Flushed Streams: INACTIVE
Bus error(coredump)
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎09-06-2002 06:37 PM

‎09-06-2002 06:37 PM

Re: Snort OpenPcap error

You have to recompile to get debug on:

: get some more diagnostic information and post it to "snort-users" at
http://www.sourceforge.net

To get diagnostic information compile snort as either:

make clean; make CFLAGS=-ggdb

or
make clean; make "CFLAGS=-ggdb -DDEBUG"

trace coredump as:

gdb /path/to/snort /path/to/snort/core

gdb> where
gdb> bt
gdb> print $varname, varname, $$varname etc..

or if corefile isn't generated snort should be started as

gdb snort

gdb> run


Above from the snort faq.

http://www.snort.org/docs/#setup

Ron
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎09-06-2002 07:50 PM

‎09-06-2002 07:50 PM

Re: Snort OpenPcap error

Hi,
After Installing libpcap , Have you rebooted the server ?

regards,
U.SivaKumar
Innovations are made when conventions are broken
0 Kudos
Reply
rick jones
Honored Contributor

‎09-09-2002 09:57 AM

‎09-09-2002 09:57 AM

Re: Snort OpenPcap error

installation of libpcap should not require a system reboot - libpcap is just user-space code under HP-UX.

i'd verify that the latest version of libpcap is on the system - going back a ways there were problems with libpcap when Auto Port Aggregation was installed - it make a return larger tha libpcap was expecting.

once the latest revision of libpcap is installed, try it with tcpdump to get some data along a slightly different axis.


just a random though - are you running as root, or something else?
there is no rest for the wicked yet the virtuous have no pillows
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.