[Snort-users] CISCO SPAN & Multiple Nics

F.M. Taylor root at ...28...
Thu Nov 2 09:44:35 EST 2000


Good morning.  I moved my snort box into production yesterday. However I
am not seeing any TCP traffic.  Here is my setup.
I have the RMON/SPAN port going to a hub (to test multiple IDS's), then to
eth0.  I am using the database plugin so I have the second NIC connected
to a "regular" port on the switch to send the data to the remote database.
What I want to know is why I am seeing no TCP traffic.  Once I get snort
running on this hub I am going to put a cisco IDS next to it and run them
side by side.  


eth0      Link encap:Ethernet  HWaddr 00:B0:D0:24:F6:6A
          inet addr:10.0.0.0  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1117910 errors:38 dropped:0 overruns:1 frame:48
          TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          Interrupt:10 Base address:0xe800

eth1      Link encap:Ethernet  HWaddr 00:E0:29:11:73:7C
          inet addr:139.102.49.76  Bcast:139.102.49.255
Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1089083 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3835 errors:0 dropped:0 overruns:0 carrier:0
          collisions:12 txqueuelen:100
          Interrupt:14 Base address:0xe880

===============================================================================
Snort received 305 packets.
Packet loss statistics are unavailable under Linux.  Sorry!

Breakdown by protocol:    TCP: 0          (0.000%)
    UDP: 52         (17.049%)
   ICMP: 0          (0.000%)
    ARP: 75         (24.590%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 178        (58.361%)
===============================================================================
OK
nids1:/usr/local/snort#


---
Mike Taylor
Coordinator of Systems Administration and Network Security
Indiana State University.               Rankin Hall Rm 039
210 N 7th St.                           Terre Haute, IN.
Voice: 812-237-8843                                  47809
---
"You have zero privacy anyway.  Get over it."
           --Scott McNealy, Sun MicroSystems. 




More information about the Snort-users mailing list