OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Snort-users] Corrupted Frame and Exit

From: Matthew Babcock (MBabcockAandRTech.com)
Date: Tue Mar 17 2009 - 12:47:15 CDT


>From that link
-----------------
> Linux kernel 2.6.29-rc6, x86_64, but 32-bit userland. It seems to
> work on 32/32 and 64/64-bit machines.

Thanks for the report. This is probably caused by the new packet
mmap interface, before Linux 2.6.27 it wasn't 64-bit clean and the
libpcap package in sid was built against 2.6.26 headers, so the new
tpacket v2 format support which fixes it wasn't compiled in.

Unfortunately I don't have a 64-bit machine running Linux 2.6.27+
where I could verify this right now, but I think that if you rebuild
the current source package with an up-to-date linux-libc-dev
(2.6.28-1) the resulting deb will work in your configuration.
-----------------

I am using 2.6.26 which supports the reason above.

Regards,
-- Matthew R. Babcock
CEO, Principal Consultant
A & R Technology Consulting - Providing solutions, not limitations -
MBabcockAandRTech.com
(508) 397-8280

>
> Thank you, I was wondering if I sent that email. Your problem should be
> with the libcap version you are on. Look into your options for a newer
> one.
>
> What version do you have installed? I use ADM64 as well with the new
> stable version Lenny.. I am guessing your using testing or unstable. Can
> you post a couple lines from etc/apt/sources.list ?
>
> I have...
> sudo dpkg -l |grep ii |grep libpcap
> ii libpcap0.8 0.9.8-5 system
> interface for user-level packet captu
>
> and I have never seen that error. Let me know if you want to check other
> version of other things, I stopped following the thread not sure what else
> was discussed...
>
> -----------
> You might be able to do this... assuming your version is broken and you
> need an old stable version...
> sudo aptitude purge libpcap(everything) && sudo aptitude clean && sudo vim
> /etc/apt/sources.list change everything to lenny (I use the replace
> function).
> Then do sudo aptitude update && sudo aptitude install libpcap0.8 (and
> everything that was removed when you purged libpcap a minute ago)
>
>
> Regards,
> -- Matthew R. Babcock
> CEO, Principal Consultant
> A & R Technology Consulting - Providing solutions, not limitations -
> MBabcockAandRTech.com
> (508) 397-8280
>
>> --- Original Message
>> From: Nathaniel Richmond <nate+snortrichmond-family.org>
>> Sent: Monday, March 16, 2009, at 05:06AM PDT (GMT -0700)
>>
>> NR> If the error is about the libpcap headers, you may not have the
>> NR> libpcap-dev package installed. It might help to paste the exact
>> NR> error for the list.
>>
>> I did/do have libpcap-dev installed.
>>
>> Here is the error again:
>> rockenfield:~# tcpdump -vv -i eth3
>> tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 96
>> bytes
>> 09:22:26.123716 Broadcast Unknown SSAP 0xe6 > 00:00:00:00:00:00 (oui
>> Ethernet) NetBeui Information, send seq 33, rcv seq 46, Flags [Final],
>> length 4294967282
>> tcpdump: pcap_loop: corrupted frame on kernel ring mac offset 94 +
>> caplen
>> 428 > frame len 160
>> 26 packets captured
>> 27 packets received by filter
>> 0 packets dropped by kernel
>>
>> If there is more information you'd like, let me know and I'll gladly
>> post
>> it.
>>
>> It looks like this is my problem, which was kindly posted by Matthew
>> Babcock:
>> http://74.125.95.132/search?q=cache:y-f7nqzgi-cJ:help.lockergnome.com/linux/Bug-517098-libpap-1_i386-broken-64-bit-kernel--ftopict493202.html+pcap_loop:+corrupted+frame+on+kernel+ring&hl=en&ct=clnk&cd=1&gl=us&ie=UTF-8
>>
>> I am running the amd64 version of the kernel. I have tried to build
>> libpcap on my own but I'm not the best builder and had some problems. I
>> will contact the Debian folks and see what's going on.
>>
>> Thanks,
>> -MikeD
>>
>> ------------------------------------------------------------------------------
>> Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
>> powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
>> easily build your RIAs with Flex Builder, the Eclipse(TM)based
>> development
>> software that enables intelligent coding and step-through debugging.
>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
>> _______________________________________________
>> Snort-users mailing list
>> Snort-userslists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users