Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!

7,035 views
Skip to first unread message

jtra...@rsignia.com

unread,
Oct 19, 2012, 11:17:27 AM10/19/12
to
I'm a newbie with SNORT and I got it running, sort of.  I am having two issues:

1) I did having SNORT working and was trying to get SNORT to output to pcap formated file. I know about the pcap option in snort.conf. When I enable that (output log_tcpdump: /data/snortlog/tcpdump.log) I did not get a file. I used the following command:
snort -b -d -l /data/snortlog -i dag0:0 -c /etc/snort/snort.conf 

I had to shutdown the system, when I rebooted, I started getting the following problem when I run SNORT.

2)When I try to riun SNORT I get the following eror message:
snort -u snort -g snort -i dag0:0 -c /etc/snort/snort.conf    NOTE:(dag0:0 = port A of the DAG card, dag0:2 -s port B)

Initializing Output Plugins!
Log Directory = /data/snortlog
pcap DAQ configured passive.
Acquiring network traffic from 'dag0:0".
ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!
Fatal Error, Quiting..

  I can capture data with a Endace DAG card. Tcpdump can see the DAG card and an capture traffic. 

I am runnig:
CentOS 6.3 x86_64
SNORT 2.9.31 GRE (Build 40)
Libpcap v 1.2.1
PCRE v 7.8
ZLIB v 1.2.3
tcpdump 4.0.0-3
daq 1.1.1-14
Endace 4.2.2 software 


Any help is appreciated.

Thanks,


John Travlos


jtra...@rsignia.com

unread,
Oct 22, 2012, 1:23:23 PM10/22/12
to
I'm a newbie with SNORT and I got it running, sort of.  I am having two issues:

1) I did having SNORT working. I had to shutdown the system, when I rebooted, I started getting the following problem when I run SNORT.  

When I run the following commmand:
snort -u snort -g snort -i dag0:0 -c /etc/snort/snort.conf   NOTE:(dag0:0 = port A of the DAG card, dag0:2 = port B)

Initializing Output Plugins!
Log Directory = /data/snortlog
pcap DAQ configured passive.
Acquiring network traffic from 'dag0:0".
ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!
Fatal Error, Quiting..

I get the same error if I run:
snort -u snort -g snort -i dag0:0 

  I can capture data with a Endace DAG card. Tcpdump can see the DAG card and an capture traffic. 

I am runnig:
CentOS 6.3 x86_64
SNORT 2.9.31 GRE (Build 40)
Libpcap v 1.2.1
PCRE v 7.8
ZLIB v 1.2.3
tcpdump 4.0.0-3
daq 1.1.1-14
Endace 4.2.2 software 


Any help is appreciated.


John Travlos


jtra...@rsignia.com

unread,
Oct 22, 2012, 1:39:08 PM10/22/12
to
 I forgot to add that I am running the command as root.

Nelo Belda

unread,
Oct 23, 2012, 5:56:25 AM10/23/12
to
Maybe you are trying to capture on a virtual device (dag0:0) that it isn't yet configured.

Try to exec ifconfig to see if that device is up.

Regards

2012/10/22 <jtra...@rsignia.com>
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Marcos Rodriguez

unread,
Oct 23, 2012, 5:02:58 PM10/23/12
to
On Mon, Oct 22, 2012 at 1:23 PM, <jtra...@rsignia.com> wrote:
I'm a newbie with SNORT and I got it running, sort of.  I am having two issues:

1) I did having SNORT working. I had to shutdown the system, when I rebooted, I started getting the following problem when I run SNORT.  

When I run the following commmand:
snort -u snort -g snort -i dag0:0 -c /etc/snort/snort.conf   NOTE:(dag0:0 = port A of the DAG card, dag0:2 = port B)

Initializing Output Plugins!
Log Directory = /data/snortlog
pcap DAQ configured passive.
Acquiring network traffic from 'dag0:0".
ERROR: Can't start DAQ (-1) - SIOCGIFHWADDR: No such device!
Fatal Error, Quiting..

I get the same error if I run:
snort -u snort -g snort -i dag0:0 

  I can capture data with a Endace DAG card. Tcpdump can see the DAG card and an capture traffic. 

Any help is appreciated.


John Travlos

Hi John,

I noticed you mentioned tcpdump was working with your DAG card, but I'll risk asking anyway:

When you compiled Snort, did you point it to your DAG-enabled pcap library during the ./configure process?

Also, you can find a DAG DAQ over here, and works with DAG's native ERF format I believe. 

https://github.com/SgtMalicious/Endace-DAQ-Module

marcos

John Travlos, Jr.

unread,
Oct 24, 2012, 11:06:50 AM10/24/12
to

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcos,

Thanks for the reply.

You did ask a good question. I did compile snort using the DAG-enabled
pcap library. The weird things is it's works when I ssh to the box or
run the system at level 3 (multi-user no gui).

I will look at thw link you sent.

Thanks,
- --
Regards,

John Travlos, Jr.

Rsignia, Inc.

The X-Factor in Cyber Warfare

9693 Gerwig Lane, Suite O
Columbia, MD 21046
p. 410.290.9697 ext. 20
f. 410.290.9694
m. 727-647-1342

www.Rsignia.com

This e-mail and any attachment are confidential and contain proprietary
information, some or all of which may be legally privileged. It is
intended solely for the use of the individual or entity to which it is
addressed. If you are not the intended recipient, please notify the
author immediately by telephone or by replying to this e-mail, and then
delete all copies of the e-mail on your system. If you are not the
intended recipient, or you received this email in error, you must not
use, disclose, distribute, copy, print or rely on this e-mail. Rsignia
reserves the right to monitor all email transactions.

PGP Fingerprint:
BECB 9D7C 9543 2A46 1561 D90D E390 694A CC29 0E80
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQiAQKAAoJEHkN0GYbsveq7lEH/jCZ6i1vatYMimfzrKnXoION
CoZIs00DYqPN1rA79MVnFJyhJFkSrgQAtf/D3x17n+bov1p9LPHrKG91hetK8Zm7
loNqYkRMMmrjZyFhWgTZhOMy25h4uxyrGSq/iUne4uATpCkyKkjbqUS78QXj4oAl
mZafUQH9IzuFPL6yERHGxITlclYZdBUZxrKMJpuhYK1Rdm5hLs2IhYMBYa978Vix
8LPL7qVngmwvTPFqpvr7THSj5RdIGdR2Npso1jciCx/3JV1qnRwZnhBw7kDmPIDf
Fw+sxUYY4Khf3WLSzC4ikg8gT+K8LT7urKJ4wkqqmqUoCHZX/TVxsXYPDryrZ2Y=
=CCgT
-----END PGP SIGNATURE-----
0 new messages