Problem pulling packets when buffer is set to another drive

[GoogleCodeExporter]

What steps will reproduce the problem?
1.Set buffer to a path not on the primary disk
2.Attempt to use /extract.cgi (via snorby or by hand)

What is the expected output? What do you see instead?
A pcap of the information requested.  Instead the page loads, "Error, Check 
server logs for more data 0 "  

&debug=1 gives:
--------------------------------------------------
OpenFPC - External extraction interface 
Leon Ward 2010 - www.openfpc.org 
--------------------------------------------------

Debug Mode: Args being used for extraction script 
User = <<scrubbedusername>> 
sip = 130.218.124.150 
dip = 0 
spt = 0 
dpt = 0 
protocol = 0 
Logline = ofpc-v1 type:search sip:130.218.124.150 stime:1315509716 
etime:1315513316 timestamp:0  
Timestamp = 0 (Wed Dec 31 19:00:00 1969)
sTimestamp = 1315509716 (Thu Sep  8 15:21:56 2011)
eTimestamp = 1315513316 (Thu Sep  8 16:21:56 2011)
Filename = /tmp/ewGAgjHCir/snorby-21953568223097142214
now = 1315593076 (Fri Sep  9 14:31:16 2011) 
-----------Result-----------
Message: 0 
Filename: 0
MD5 0
Success: 0 
Size: 0 
Filetype: 0 

$VAR1 = 'success';
$VAR2 = 0;
$VAR3 = 'filetype';
$VAR4 = 0;
$VAR5 = 'time';
$VAR6 = 0;
$VAR7 = 'position';
$VAR8 = 'None';
$VAR9 = 'table';
$VAR10 = 0;
$VAR11 = 'message';
$VAR12 = '0';
$VAR13 = 'size';
$VAR14 = 0;
$VAR15 = 'filename';
$VAR16 = 0;
$VAR17 = 'md5';
$VAR18 = 0;
$VAR19 = 'expected_md5';
$VAR20 = 0;

Syslog contains this:
kernel: [771675.097497] type=1503 audit(1315592959.672:2995):  operation="open" 
pid=9137 parent=9136 profile="/usr/sbin/tcpdump" requested_mask="r::" 
denied_mask="r::" fsuid=0 ouid=0 
name="/data/pcap/openfpc-Default_Node.pcap.1315592900"
OpenfpcQ[6412]: Default_Node NODE: Request: 6 User: <<scrubbedusername>> 
Result: Problem performing  0, 0, 0

What version of the product are you using? On what operating system?
OpenFPC 0.6-314 / Ubuntu 10.04.3 LTS 

Please provide any additional information below.
Right now I have the buffer pointed at a directory on /data which is a very 
large/fast disk.  If I change the buffer to point to anything on the primary 
disk it works just fine.  If I switch it back....same thing

Original issue reported on code.google.com by christia...@gmail.com on 9 Sep 2011 at 6:56

[GoogleCodeExporter]

This is a apparmor and tcpdump topic...

You need to add permission for tcpdump too read pcaps from the dir you have 
your pcaps in.

Edit:
/etc/apparmor.d/usr.sbin.tcpdump

Then:
/etc/init.d/apparmor restart

How did that work out for you?

Original comment by edwardfj...@gmail.com on 10 Sep 2011 at 5:34

[GoogleCodeExporter]

Well how about that.  Works like a charm!  Thank you much.

Original comment by christia...@gmail.com on 12 Sep 2011 at 12:39