Home page logo

snort logo Snort mailing list archives

Not receiving packets
From: Wayne Andersen <waynea () clima-tech com>
Date: Mon, 06 Jan 2014 17:35:20 -0700

I have a new install of snort, I have compiled daq and snort from sources.

I just used the default configure directives and received no errors.

When I run snort everything checks out and operates perfectly except 
that it is not reading any packets from any of my interfaces, eth0 or eth1.

-T reports everything good.

I can capture packets using tcpdump no problem,
and in fact I can capture from either interface to a file and then run 
snort with 'snort -r capture_file -c /etc/snort/snort.conf' and it works 
and alerts as expected.

snort -i eth0 -c /etc/snort/snort.conf nothing
snort -i eth1 -c /etc/snort/snort.conf nothing
tcpdump -i eth0 -w capture_file works
tcpdump -i eth1 -w capture_file works
snort -r capture_file -c /etc/snort/snort.conf works

I have a test rule that alerts on all http traffic, so it is not hard to 
get an alert.
Somehow I don't think DAQ is working properly, daq dump gives me nothing.

snort -i em2 --daq dump
Running in packet dump mode

         --== Initializing Snort ==--
Initializing Output Plugins!
dump DAQ configured to passive.
Acquiring network traffic from "eth1".
Decoding Ethernet

         --== Initialization Complete ==--

    ,,_     -*> Snort! <*-
   o"  )~   Version GRE (Build 208)
    ''''    By Martin Roesch & The Snort Team: 
            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
            Using libpcap version 1.5.0
            Using PCRE version: 8.33 2013-05-28
            Using ZLIB version: 1.2.8

Commencing packet processing (pid=1466)

Any ideas?

Wayne Andersen

Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
  • Not receiving packets Wayne Andersen (Jan 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]