[Snort-users] Re: Some reasonably dumb questions!

russ yonah yonah at ...569...
Sun Jan 21 01:36:45 EST 2001


You might try taking two different netowrk cards. I believe RH has a long
history of problems when two network cards use the same module. usually
the problem includes that one configuration overwrites the second.
yonah

On Fri, 19 Jan 2001, Peter Bates wrote:

> 
> Hello all again...
> 
> I think I'm moving a bit closer, but I have
> a terrible feeling I'm either going mad, or
> have been made for a long time...
> 
> I've basically figured out that if I don't
> try and have both ethernet cards in my machine
> connected at the same time, I can usually see
> traffic on one of the 'cards'...
> 
> They're both the same make (Intel EtherExpress 100)
> and so if I run a Linux kernel with the card driver
> either rolled in, or just do insmod and friends, both
> cards magically appear under ifconfig, just obviously
> without IP addresses...
> 
> I can seemingly do
> 
> ifconfig eth0 up promisc
> 
> and then see some traffic with tcpdump and snort...
> 
> I can see some traffic if I do
> 
> snort -dvi eth0 port 21
> 
> and go to one of two boxes hanging off the same
> 4-port hub that the snort box is connected to...
> but not to one of the other machines!!!
> 
> Arggggh!
> 
> Are my network cards just weird, am I misunderstanding something
> quite significant here, or what?
> 
> I'm running either Linux 2.2.16 or 2.4.0 (neither work properly!)
> on a stock RedHat 6.2 box, with the libpcap
> that RH throw in... is this my problem???
> 
> And in addition, how does the kernel/system
> differentiate between the two cards when both
> are actually connected? It seems clear that
> when only one of the two is 'wired' that eth0
> seems to be attached to that one (when I bring
> an interface up)...
> 
> Or should I just go and lie down in a darkened room?
> 
> 
> Thanks again...
> 
> 
> 






More information about the Snort-users mailing list