sflowtool configuration with snort
205 views
Skip to first unread message
Dridi Lobna
Jan 18, 2017, 9:31:21 PM1/18/17
to sFlow
Hi all,
I use snort for detection attacks for sampled packets.
For this I use sflow to sample packets.
I configure the sflow agent on an OVS (OpenVswitch) and i use sflowtool.
When I execute the command in the OVS:
sflowtool -t | snort -Afull -r - -c snort.conf
I have an error message
" error : can't initialize DAQ PCAP (-1) - truncated dump file; tried to read 4 file header byte, onbly get 0 "
I m so confused, i don't know where exactly I put the commands (in OVS or the Snort sensor)?
Please i need you help very urgent
Best regards,
Lobna
I use snort for detection attacks for sampled packets.
For this I use sflow to sample packets.
I configure the sflow agent on an OVS (OpenVswitch) and i use sflowtool.
When I execute the command in the OVS:
sflowtool -t | snort -Afull -r - -c snort.conf
I have an error message
" error : can't initialize DAQ PCAP (-1) - truncated dump file; tried to read 4 file header byte, onbly get 0 "
I m so confused, i don't know where exactly I put the commands (in OVS or the Snort sensor)?
Please i need you help very urgent
Best regards,
Lobna
Neil McKee
Jan 19, 2017, 1:13:54 PM1/19/17
to sFlow
I suggest you test with something like this:
sflowtool -t | tcpdump -r -
to make sure that the PCAP feed from sflowtool is OK.
If that doesn't shed any light, then I suggest you compile sflowtool from the latest github sources, then compare this code:
with whatever Snort is doing to read the pcap header.
Neil
Reply all
Reply to author
Forward
0 new messages