Re: [Snort-inline-users] SnortInline - Barnyard - no ipheader & payload

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

> I use fedora with snortinline2.1(binary) and barnyard 0.2rc1
> but i cant see ipheader or payload

The unified output plugin of Snort always writes the complete packet 
including all headers to the output file. The packet data is decoded by 
Barnyard again. When the inline patch is applied to Snort the ethernet 
header of the original packets is missing in the output file, but 
Barnyard still tries to decode the ethernet header.

Have a look into the file output-plugins/op_decode.c of the Barnyard 
code. I have no ready-to-use patch available, but I think when you 
replace the function DecodeEthPkt() by the following code, Barnyard 
should work with Snort-Inline.

void DecodeEthPkt(Packet *p, SnortPktHeader *pkthdr, u_int8_t *pkt)
{
     u_int32_t len;
     u_int32_t cap_len;

     bzero((char *) p, sizeof(Packet));
     p->pkth = pkthdr;

     len = pkthdr->pktlen;
     cap_len = pkthdr->caplen;

     DecodeIP(pkt, cap_len, p);
}

best regards

Frank Eberle