[Snort-users] eth0 leaving promiscuous mode

Marko Jennings marko at ...303...
Sat Oct 14 21:19:00 EDT 2000


Hi,

I am running snort-1.6.3-patch2 on a Pentium 133MHz with 96MB of RAM
under Red Hat 6.2 (2.2.14-5.0 kernel).  My problem is that the network
card seems to be leaving promiscuous mode immediately after it enters it
when snort starts.  Because of that, only traffic to and from it's
address is being analyzed.  Below are relevant syslog messages.

Oct 14 21:08:46 usdtwids0001 kernel: snort uses obsolete
(PF_INET,SOCK_PACKET)
Oct 14 21:08:46 usdtwids0001 kernel: device eth0 entered promiscuous
mode
Oct 14 21:08:46 usdtwids0001 kernel: device eth0 left promiscuous mode
Oct 14 21:08:46 usdtwids0001 snort:
Oct 14 21:08:46 usdtwids0001 snort: Initializing Network Interface...
Oct 14 21:08:46 usdtwids0001 snort: Initializing daemon mode
Oct 14 21:08:46 usdtwids0001 snort: Starting NIDS succeeded

I have another box where this does not happen, and I don't know what is
making the difference.  I tried three different network cards (two
3com's and one Intel) and nothing changed.

I would greatly appreciate any help.

Sincerely,

Marko Jennings



More information about the Snort-users mailing list