[Snort-users] Re: Some reasonably dumb questions!
yonah at ...569...
Sun Jan 21 01:36:45 EST 2001
You might try taking two different netowrk cards. I believe RH has a long
history of problems when two network cards use the same module. usually
the problem includes that one configuration overwrites the second.
On Fri, 19 Jan 2001, Peter Bates wrote:
> Hello all again...
> I think I'm moving a bit closer, but I have
> a terrible feeling I'm either going mad, or
> have been made for a long time...
> I've basically figured out that if I don't
> try and have both ethernet cards in my machine
> connected at the same time, I can usually see
> traffic on one of the 'cards'...
> They're both the same make (Intel EtherExpress 100)
> and so if I run a Linux kernel with the card driver
> either rolled in, or just do insmod and friends, both
> cards magically appear under ifconfig, just obviously
> without IP addresses...
> I can seemingly do
> ifconfig eth0 up promisc
> and then see some traffic with tcpdump and snort...
> I can see some traffic if I do
> snort -dvi eth0 port 21
> and go to one of two boxes hanging off the same
> 4-port hub that the snort box is connected to...
> but not to one of the other machines!!!
> Are my network cards just weird, am I misunderstanding something
> quite significant here, or what?
> I'm running either Linux 2.2.16 or 2.4.0 (neither work properly!)
> on a stock RedHat 6.2 box, with the libpcap
> that RH throw in... is this my problem???
> And in addition, how does the kernel/system
> differentiate between the two cards when both
> are actually connected? It seems clear that
> when only one of the two is 'wired' that eth0
> seems to be attached to that one (when I bring
> an interface up)...
> Or should I just go and lie down in a darkened room?
> Thanks again...
More information about the Snort-users