[Snort-users] Kernel complaint about MAC being seen on multip le interfaces

Doug White dwhite at ...1486...
Thu Apr 5 17:15:50 EDT 2001


On Thu, 5 Apr 2001, Tom Sevy wrote:

> Can you elaborate on an FEC driver?  If I have four Catalyst 3500XL series
> switches on a lan segment.  I thought I could only accomplish complete
> coverage by Snort with a NIC to each switch, then using Port Mirroring so
> that these NICs would see all the traffic each switch is passing.  Wouldn't
> FEC only work within a single switch?

You should read the Cisco docs on span ports. You can span one switch to
another and cascade them, but this is notably ugly.

http://www.cisco.com/warp/public/473/41.html

> I did find a solution that involved a modification to if_ether.c so that it
> doesn't send out those messages.  I implemented it yesterday and it seems to
> be working just fine.  I don't know that this is the best solution, but it
> was the only suggestion I had at the time and so I went with it.

You fixed it the brute-force way, but you may experience strange ARP
problems as the system is confused just what network is plugged in where.

You shouldn't have the sensors plugged into the same VLAN .. you should
create a new VLAN, put your sensor on it, then send all the monitor
traffic to that port. This way one sensor won't "see" the other and cause
mass confusion.

Doug White                    |  FreeBSD: The Power to Serve
dwhite at ...1486...     |  www.FreeBSD.org





More information about the Snort-users mailing list