[Snort-users] Kernel complaint about MAC being seen on multiple interfaces

Nuno Fernandes nfernandes at ...1264...
Wed Apr 4 23:50:50 EDT 2001


I believe if you have forwarding enabled on your freebsd system, MAC addr
will be sent out the other NIC. That would give you that message.


----- Original Message -----
From: "Tom Sevy" <tsevy at ...1701...>
To: "Snort-Users eMail List (E-mail)" <snort-users at lists.sourceforge.net>
Sent: Wednesday, April 04, 2001 7:37 AM
Subject: [Snort-users] Kernel complaint about MAC being seen on multiple
interfaces


> I also posted this to comp.unix.bsd.freebsd.misc but have not seen any
> responses yet, hoping someone here may have an answer.
>
> FreeBSD 4.2-Release, setup as Snort to monitor on four different NICs.
>
> One NIC has an IP assigned to it (tl0), and three others (dc0, dc1, dc2)
are
> set to up, but *no
> IP address* on them (confirmed with ifconfig).  This is done because each
> NIC
> goes into a catalyst switch with port monitoring (port mirror or span)
> setup on the same subnet.
>
> Syslog is showing that a given MAC is being seen by three NICs.  This MAC
> belongs to an Alteon Web Switch.  It is the hard IP/MAC and not the
Virtual
> IP/MAC.  Is it safe to ignore this?  Of is there anything that can be
> configured in the kernel to ignore this scenario?
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list