From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686) Description of problem: When testing Snort built from source, I discovered that every single Snort rule silently failed to work because $HOME_NET was correctly formatted garbage bits. After some debugging, it appears that pcap_lookupnet() never writes to the variables whose addresses are passed in. The attached test program demonstrates the problem; the program performs correctly on Mandrake 7.1. A workaround is to use var HOME_NET xx.yy.zz.ww/aa.bb.cc.dd with your specific address and netmask instead of the default var HOME_NET $eth0_ADDRESS which triggers the bug. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. gcc -Wall -o test1 -I/usr/include/pcap test1.c -lpcap 2. ./test1 eth0 Actual Results: Interface eth0 = 55555555/aaaaaaaa Expected Results: On a system with working libpcap, result shows actual address and netmask. Additional info:
Created attachment 29474 [details] Source of simple test program
Reassigning to the owner of tcpdump which is the source package for libpcap. Tim
$ gcc -o pcap-test pcap-test.c -lpcap -I/usr/include/pcap/ [harald@faro harald]$ ./pcap-test Usage: ./pcap-test interface [harald@faro harald]$ ./pcap-test eth0 Interface eth0 = 000210ac/00ffffff [harald@faro harald]$ /sbin/ifconfig eth0 Protokoll:Ethernet Hardware Adresse 00:01:02:F1:85:F4 inet Adresse:172.16.2.162 Bcast:172.16.2.255 Maske:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2897199 errors:0 dropped:0 overruns:1 frame:0 TX packets:2130706 errors:0 dropped:0 overruns:0 carrier:0 Kollisionen:0 RX bytes:2521268307 (2404.4 Mb) TX bytes:2223600408 (2120.5 Mb) $ rpm -qf /usr/include/pcap/pcap.h libpcap-0.6.2-9