[Snort-users] Re: Some reasonably dumb questions!

Peter Bates peter.bates at ...79...
Fri Jan 19 17:13:38 EST 2001


Hello all again...

I think I'm moving a bit closer, but I have
a terrible feeling I'm either going mad, or
have been made for a long time...

I've basically figured out that if I don't
try and have both ethernet cards in my machine
connected at the same time, I can usually see
traffic on one of the 'cards'...

They're both the same make (Intel EtherExpress 100)
and so if I run a Linux kernel with the card driver
either rolled in, or just do insmod and friends, both
cards magically appear under ifconfig, just obviously
without IP addresses...

I can seemingly do

ifconfig eth0 up promisc

and then see some traffic with tcpdump and snort...

I can see some traffic if I do

snort -dvi eth0 port 21

and go to one of two boxes hanging off the same
4-port hub that the snort box is connected to...
but not to one of the other machines!!!

Arggggh!

Are my network cards just weird, am I misunderstanding something
quite significant here, or what?

I'm running either Linux 2.2.16 or 2.4.0 (neither work properly!)
on a stock RedHat 6.2 box, with the libpcap
that RH throw in... is this my problem???

And in addition, how does the kernel/system
differentiate between the two cards when both
are actually connected? It seems clear that
when only one of the two is 'wired' that eth0
seems to be attached to that one (when I bring
an interface up)...

Or should I just go and lie down in a darkened room?


Thanks again...


-- 
---------------------------------------------------------------->
Peter Bates, Systems Support Officer, Network Support Team.
London School of Hygiene & Tropical Medicine.
Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362




More information about the Snort-users mailing list