[Snort-users] Multiple Interfaces with -i any not working.

Robinson, Ken ken.robinson at ...1563...
Tue Mar 13 11:31:36 EST 2001


I have a requirement that would seem to be nicely answered with the '-i any'
option, unfortunately it is not working for me.    

I'm running in to the same problem that seph reported a couple weeks back.

I've installed the latest libpcap with support for 'any' as an interface.
It works fine with tcpdump.    I'm trying this on a couple different Linux
boxes, one is a Immunix 6.2 distribution and the other a Mandrake 7.2 dist.
These are 2.2.14 and 2.2.17 kernels respectively.  I've also built a new
2.2.18 kernel.  

On the 2.2.14 kernel I'm told that Snort doesn't support Link Data Type 113.
On the other kernels I see the same error as seph saw, that it claims that
the packets are not IPv4.    

Snort works fine with a specific interface (i.e. -i eth0).

I've tried the daily builds, including one I picked up this morning around
10AM EST.  

The systems are plugged in to the same 100Mbit Ethernet hub (3COM) and are
using 3COM 100Mbit NICs and a Intel EtherPro (2 3COM and 2 Intel NIC in the
Immunix system).

We want to use this to monitor 2 ports on a fail over system. I.e. only one
is active at a time.   Using the '-i any' option seemed like a nice way to
end up with one log file instead of 2.   I'm also currently using snortsnarf
and snorticus to collect the logs.

It's quite important for me to get this working, I'll help out in any way I


Ken Robinson
Canada Customs and Revenue Agency
Enterprise Security Section

More information about the Snort-users mailing list