[Snort-users] Kernel complaint about MAC being seen on multip le interfaces

Tom Sevy tsevy at ...1701...
Thu Apr 5 07:52:39 EDT 2001


Can you elaborate on an FEC driver?  If I have four Catalyst 3500XL series
switches on a lan segment.  I thought I could only accomplish complete
coverage by Snort with a NIC to each switch, then using Port Mirroring so
that these NICs would see all the traffic each switch is passing.  Wouldn't
FEC only work within a single switch?

I did find a solution that involved a modification to if_ether.c so that it
doesn't send out those messages.  I implemented it yesterday and it seems to
be working just fine.  I don't know that this is the best solution, but it
was the only suggestion I had at the time and so I went with it.

-----Original Message-----
From: Doug White [mailto:dwhite at ...1486...]
Sent: Wednesday, April 04, 2001 11:36 PM
To: Tom Sevy
Cc: Snort-Users eMail List (E-mail)
Subject: Re: [Snort-users] Kernel complaint about MAC being seen on
multiple interfaces

On Wed, 4 Apr 2001, Tom Sevy wrote:

> Syslog is showing that a given MAC is being seen by three NICs.  This MAC
> belongs to an Alteon Web Switch.  It is the hard IP/MAC and not the
> IP/MAC.  Is it safe to ignore this?  Of is there anything that can be
> configured in the kernel to ignore this scenario?

This is probably because you have all the NICs plugged into the same VLAN,
which is a no-no.  If you want to trunk span ports, you might try to find
the 'fec' driver, which does Fast Etherchannel.

Doug White                    |  FreeBSD: The Power to Serve
dwhite at ...1486...     |  www.FreeBSD.org

More information about the Snort-users mailing list