An alchemists view from the bar

Network Security Alchemy

“Not using PCAP_FRAMES”, A.k.a When good verbosity goes bad

with 26 comments

The same questions get posted again and again to the Snort forums, at the moment this is the most frequently misunderstood, and asked question that catches my eye.

Help !!!!!!!!
Snort doesn’t work !
It dies with a “Not Using PCAP_FRAMES” error message”.
Quick, quick help me now!

I’m ranting about this here so hopefully when people google the “Not using PCAP_FRAMES” message before blindly posting to the forums or mail lists for help (I know, I can dream), maybe this post will appear in their search results solving their non-issue.

What is an error message?

Lets look a real error messages first, unlike the above.

--== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file /this/rules/file/does/not/exist
ERROR: Unable to open rules file: /this/rules/file/does/not/exist or /this/rules/file/does/not//this/rules/file/does/not/exist
Fatal Error, Quitting..

The error condition above is clearly identified, other messages not prefixed with “ERROR” are supporting messages to help a user understand what the system is doing. This rule holds true with most software and not Snort alone.

What is a PCAP_FRAME?

PCAP_FRAMES is an environment variable that is used to pass a configuration setting to a custom pcap library, specifically the code by Phil Woods (Nice job by the way Phil). If you have not built snort against Phil’s libpcap that supports pcap ring buffers in shared memory, PCAP_FRAMES means absolutely NOTHING to you, zip, nout, fsck all, nada.

If you are unsure if you have built Snort against Phil’s libpcap or a stock distribution, then trust me you’re using a stock libpcap.

For those who are interested, PCAP_FRAMES defines a size (in frames) of a pcap ring-buffer in shared memory.

Are you sure? It looks like Snort stops with this as an error.

Yes I’m sure, and I find your lack of faith disturbing. Lets look at the code in snort.c to check.

1163     if( getenv(“PCAP_FRAMES”) )
1164     {
1165         LogMessage(“Using PCAP_FRAMES = %s\n”, getenv(“PCAP_FRAMES”) );
1166     }
1167     else
1168     {
1169         LogMessage(“Not Using PCAP_FRAMES\n” );
1170     }

If the environment variable PCAP_FRAMES is set, it shows the value to user during Snort initialization. If the environment variable is not set, it tell the user that PCAP_FRAMES are not being used.

For example, ill start up snort as a sniffer on my Mac with a stock libpcap.

[09:12:32]lward@drax~$ sudo snort -vdei en0 > /dev/null
Password:
Running in packet dump mode
-snip verbose startup output-
,,_     -*> Snort! <*-
o"  )~   Version 2.8.0.2 (Build 75)
''''    By Martin Roesch & The Snort Team:
http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 7.6 2008-01-28
Not Using PCAP_FRAMES
^C*** Caught Int-Signal
==============================================================
Packet Wire Totals:

-SNIP-

Here Snort has started up and was sniffing without error (until I hit CRTL+C), now lets set PCAP_FRAMES to some garbage because it will have no effect on Snorts behavior or my stock libpcap.

bash-3.2# export PCAP_FRAMES="Foo Bar This setting has no impact on my libpcap instance"
bash-3.2# snort -dvei en0 > /dev/null
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
Verifying Preprocessor Configurations!
Initializing Network Interface en0
OpenPcap() device en0 network lookup:
en0: no IPv4 address assigned
Decoding Ethernet on interface en0
--== Initialization Complete ==--
 ,,_     -*> Snort! <*-
o"  )~   Version 2.8.0.2 (Build 75)
 ''''    By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2007 Sourcefire Inc., et al.
Using PCRE version: 7.6 2008-01-28
Using PCAP_FRAMES = Foo Bar This setting has no impact on my libpcap instance
 ^C*** Caught Int-Signal
 ===================================

So in summary, this verbose message has no meaning to most users of Snort. If you are running Snort as an IDS but not in daemon mode, don’t expect to see anything on STDOUT until you stop the processes (hit CRTL+C to send a SIGINT).

As always, happy Snortin’
-Leon

Advertisements

Written by leonward

July 18, 2008 at 6:13 pm

Posted in Security

Tagged with

26 Responses

Subscribe to comments with RSS.

  1. You can not imagine how much this helped! Thanks a lot!

    Negar

    November 14, 2008 at 7:24 pm

  2. Thanks a lot, friend.. May Google bring this up on the very first result when searched with “Not using PCAP_FRAMES”. What a relief! Thanks!

    Vikas

    January 14, 2009 at 5:44 am

  3. This one is good. I was running snort for quite a while with the message “Not Using PCAP_FRAMES”. I just didn’t like the message, now I have a custom one which makes it look better.

    -=Srijan

    Srijan

    February 2, 2009 at 1:52 pm

  4. Thanks, that is great.
    mmmmmmm,but I have some questions to ask,considering the source code of snort….where should I write the questions??

    Ahmad

    July 4, 2009 at 4:59 pm

  5. Thank you a lot man.
    That was helpful.

    Mondher

    July 7, 2009 at 7:43 am

  6. Heh, thanks for the article – saves a lot of digging through forums for what isn’t an issue 🙂

    Mike

    July 15, 2009 at 10:18 pm

  7. Thank you very much for the info on “Not Using PCAP_FRAMES”.

    I was about to post to snort forums…and I saw this. Your post saved me and others a lot of time.

    H

    August 14, 2009 at 7:20 pm

  8. Google search got me here and it answered my question! Thanks for taking the time to post this for everyone.

    Bishop

    September 9, 2009 at 12:33 am

  9. Great posting!!!

    Eric J

    November 29, 2009 at 8:19 am

  10. The last sentence was all i needed…

    Bob

    February 3, 2010 at 12:28 am

    • And it’s the answer I have provided to people many many times before. Hence the rant 🙂

      leonward

      February 4, 2010 at 10:20 am

  11. very good. thanks. Can you explain this as well?
    Initalizing rule chains…
    Warning: c:\snort\rules/dos.rules(58)=>threshold(in rule) is deprecated; use detection_filter instead.

    emari2

    March 14, 2010 at 7:23 am

    • It’s letting you know that the threshold keyword is deprecated. The modern equivalent is detection_filter. The threshold will still continue to function for a while but you shouldn’t create new rules using it.

      leonward

      March 14, 2010 at 11:15 am

  12. i have installed snort on my ubuntu from two days and when i typed sudo snort -dev it give me error not using pcap_frames what shall i do

    mena

    April 9, 2010 at 4:21 pm

    • Err, are you joking? Did you read the post you commented on?

      leonward

      April 11, 2010 at 7:32 pm

      • have the same problem.

        Could you clear this message in source of snort?

        jackwssp@gmail.com

        May 23, 2010 at 11:18 pm

      • Once again, it’s not a problem. It’s normal operation.
        But yes, you could remove the LogMessage line I show above from Snort without breaking it’s core function.

        leonward

        May 24, 2010 at 7:38 am

  13. Thanks – a bit confusing but on the second read I understand – the ‘error’ is purely informational.

    One thing people may not realise is that they need to specify the interface snort should use in order to see the results beyond just that message.

    i.e, if you’re on a notebook with wireless, snort may default to your ethernet nic “eth0” and stop after the pcap_frames message, which does make it appear a bit like an error.

    Try specifying the interface such as “snort -i wlan0 -vde” and snort will glaze past that notice and show you the data it’s snorting.

    Thanks for your time in posting this Leon.

    Spoona

    May 2, 2010 at 2:16 am

    • I have specified the interface by using the command “snort -i eth0 -vd” still its not displaying the data on the terminal it’s snorting…..

      Avanti

      January 20, 2012 at 8:05 am

      • Are there packets?

        leonward

        March 15, 2012 at 12:37 pm

  14. Awesome, I noticed it seemed to be working fine, but the way the message is written makes many think it’s something bad.

    Anyways, good to know it’s nothing wrong. And I think mena was joking.

    LEBATO

    May 5, 2010 at 2:55 pm

  15. WOW dude …thanks man you r the savior for my obssesed mind!

    rust

    August 3, 2010 at 8:30 am

  16. Leon,
    Your post is articulate and your patience is saint like.

    Eddy

    January 13, 2011 at 6:31 pm

  17. This is my first time assembling snort, using the Kasey Efaw – Installing snort 2.8.6.1 on Windows 7, instructions found on Snort.org. Not using PCAP_FRAMES has become a big topic here. In my case, when I ran c:\snort\bin\snort -v -i1 Not using PCAP_FRAMES did NOT come up.

    Does this have any significance in the performance of snort?

    Also, does anyone know of a source where I can get detailed description on what Snort does, and how it works.

    You input is appreciated

    Cruzequities@yahoo.com

    April 29, 2011 at 6:35 am

    • Once again, this is verbose output and only intended for those who are expecting to use PCAP_FRAMES. It can be safely ignored if you don’t understand what it.

      leonward

      May 16, 2011 at 8:19 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: