[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: snort problem

On Tue, Feb 20, 2001 at 11:21:45AM +0200, Viljo Marrandi wrote:
> Feb 20 10:54:17 equinoxe modprobe: modprobe: Can't locate module net-pf-17
> Feb 20 10:54:17 equinoxe snort: ERROR: OpenPcap() device eth0 open:
> ^Isocket: Socket type not supported
> Firstly, what is net-pf-17? I couldn't find it anywhere (grepped thru
> kernel source). And why it says that socket type not supported? I
> installed all required packages for it - libc6_2.2.1 and libpcap0. What
> couls possibly be wrong?

First of all, that 'pf' stands for 'protocol family', like PF_INET for IP or
PF_IPX for IPX and so on.  You have the list of protocol families in the
file /usr/include/linux/socket.h, from there you'll notice that AF_PACKET
(yes, it is the same as PF_PACKET, don't ask why the duplicate naming)
has the magic value of 17.  

So in short, you're missing the packet socket support from your kernel.
Once you enable it, snort/tcpdump/anything that uses libpcap should work.

Tommi Komulainen                                 Tommi.Komulainen@iki.fi
GPG 1024D/68388EE6    6FD6 DD79 EB38 BF6F 3533  09C0 04A8 9871 6838 8EE6

Attachment: pgpxsbaCXEBQo.pgp
Description: PGP signature

Reply to: