Re: cannot decode data link type 239

[James Lay <jlay () slave-tothe-box net>]

On 2014-09-09 10:33, Sharif Uddin wrote:
> Hello
>
> I have had snort running for a while without problems, just recently
> it has not logged anything which is weird. When I done strace on 
> snort
> I found the following problem
>
> socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
>
> ioctl(4, SIOCGIFADDR, {ifr_name="nflog", ???}) = -1 ENODEV (No such
> device)
>
> close(4) = 0
>
> write(2, "ERROR: Cannot decode data link t"..., 40ERROR: Cannot 
> decode
> data link type 239
>
> ) = 40
>
> write(2, "Fatal Error, Quitting..n", 24Fatal Error, Quitting..
>
> I have googled this and all answers point to running extra command on
> build. But my snort was running fine, which does not make sense
>
> I use following to run snort
>
> snort -q -u snort -g snort -c /etc/snort/snort.conf -i ens34 -D
>
> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2
> -w /var/log/snort/barnyard2.waldo
>
> how do I fix this
>
> Sharif Uddin

Might want to ./configure by adding --enable-non-ether-decoders for 
testing.

James


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!