[Snort-users] Snort and Nortel Accelar 1200...

agetchel at ...1525... agetchel at ...1525...
Fri Mar 9 15:10:52 EST 2001

Hi ya'll,
	I'm trying to get Snort running on a Windows 2000 box here and am
having some problems when trying to grab data from a mirrored port on a
Nortel Accelar 1200.  Snort reports that all data captured is of the 'other'
protocol and I see nothing.  When I run snort on a non-mirrored port, and
move some data over the wire I see the traffic like normal, so I know snort
is working fine.  When I capture the data in Microsoft Netmon, I see all
packets come through with layer-2 information only and they have the
protocol type of 'Wellfleet' (Nortel used to be Wellfleet many moons ago and
their name is still used within some of their products).  When I run Netmon
on a non-mirrored port, I see the traffic as normal so I know Netmon is
working fine.  When I grab the data using NA's Sniffer product, everything
appears fine.  Is the Accelar 1200 encapsulating the data when it mirrors to
another port in some proprietary layer-2 protocol that only NA's product can
understand?  Has anyone else experienced this problem?  The only thing I
think may be causing a problem is that the majority of the packets are
tagged, and hence have a maximum frame size of 1522 bytes (increased through
an IEEE standard to allow for the 4 bytes VLAN ID field).  Any idea's?


Abe L. Getchell - Chief Security Officer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...1525...
Web     http://www.kde.state.ky.us/

More information about the Snort-users mailing list