[Snort-users] CISCO SPAN & Multiple Nics
root at ...28...
Thu Nov 2 09:44:35 EST 2000
Good morning. I moved my snort box into production yesterday. However I
am not seeing any TCP traffic. Here is my setup.
I have the RMON/SPAN port going to a hub (to test multiple IDS's), then to
eth0. I am using the database plugin so I have the second NIC connected
to a "regular" port on the switch to send the data to the remote database.
What I want to know is why I am seeing no TCP traffic. Once I get snort
running on this hub I am going to put a cisco IDS next to it and run them
side by side.
eth0 Link encap:Ethernet HWaddr 00:B0:D0:24:F6:6A
inet addr:10.0.0.0 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1117910 errors:38 dropped:0 overruns:1 frame:48
TX packets:78 errors:0 dropped:0 overruns:0 carrier:0
Interrupt:10 Base address:0xe800
eth1 Link encap:Ethernet HWaddr 00:E0:29:11:73:7C
inet addr:220.127.116.11 Bcast:18.104.22.168
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1089083 errors:0 dropped:0 overruns:0 frame:0
TX packets:3835 errors:0 dropped:0 overruns:0 carrier:0
Interrupt:14 Base address:0xe880
Snort received 305 packets.
Packet loss statistics are unavailable under Linux. Sorry!
Breakdown by protocol: TCP: 0 (0.000%)
UDP: 52 (17.049%)
ICMP: 0 (0.000%)
ARP: 75 (24.590%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 178 (58.361%)
Coordinator of Systems Administration and Network Security
Indiana State University. Rankin Hall Rm 039
210 N 7th St. Terre Haute, IN.
Voice: 812-237-8843 47809
"You have zero privacy anyway. Get over it."
--Scott McNealy, Sun MicroSystems.
More information about the Snort-users