[Snort-users] Kernel complaint about MAC being seen on multiple interfaces

Tom Sevy tsevy at ...1701...
Wed Apr 4 07:37:50 EDT 2001


I also posted this to comp.unix.bsd.freebsd.misc but have not seen any
responses yet, hoping someone here may have an answer.

FreeBSD 4.2-Release, setup as Snort to monitor on four different NICs.

One NIC has an IP assigned to it (tl0), and three others (dc0, dc1, dc2) are
set to up, but *no
IP address* on them (confirmed with ifconfig).  This is done because each
NIC
goes into a catalyst switch with port monitoring (port mirror or span)
setup on the same subnet.

Syslog is showing that a given MAC is being seen by three NICs.  This MAC
belongs to an Alteon Web Switch.  It is the hard IP/MAC and not the Virtual
IP/MAC.  Is it safe to ignore this?  Of is there anything that can be
configured in the kernel to ignore this scenario?





More information about the Snort-users mailing list