[Snort-devel] New Feature based on MAC address filterig (Possible !!!!!)

Erek Adams erek at ...835...
Wed Jun 18 10:20:08 EDT 2003

On Tue, 17 Jun 2003, Atul Shrivastava wrote:


>  In my setup the snort sensor and management console is running on the
> same machine. The management uses eth0 and sensor is running in
> promiscus mode on eth1. So my question is that can i run the Arpwatch on
> the eth1 interface so that whatever the Snort is scanning, ARPWATCH can
> also be able to get all this traffic. Now my doubt is that if i run
> arpwatch on the same interface as of snort sensor then which application
> is able to get the traffic first....??????

Both use libpcap.  Both access the data at the same 'level'.  The packets
are seen by both, and there is no interference with each other.

One thing to make sure of:  Promiscous mode.  On some of the Linux boxes
I've seen setting an interface to 'promisc' mode was a on/off switch.
Send it a request to go into promisc, and it does.  Send it a second one,
and it goes out of promisc mode.  Send a third, and it goes promisc again.


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-devel mailing list