[Snort-users] Token ring support of snort

Martin Roesch roesch at ...1935...
Thu Nov 1 07:59:08 EST 2001


That's very possible, the Token Ring users of Snort are a pretty small
set of people, and I think you're the first person that's tried it on
Windows.  If you could capture some packets with Ethereal and mail them
to me (the binary packet captures), I'll see if I can update the
decoder.

     -Marty

bulent_sahin at ...3967... wrote:
> 
> Yes, the interface name is correct. I tried, but same thing happened.
> Program captures some frames, but categorizes them as OTHER. I suppose
> that snort does not undestand  token-ring, llc2 and snap headers?
> Thanks
> Bulent
> 
>  Martin Roesch
>  <roesch at ...1935...>               To:
>  Sent by:                       bulent_sahin at ...3967...
>  roesch at ...2250...            cc:
>                                 snort-users at lists.sourceforge.net
>  01.11.2001 17:04                      Subject:        Re:
>                                [Snort-users] Token ring support of
>                                snort
> 
> Is that the right interface name for the T/R interface?  To get a list
> of the interfaces that are available run 'snort -W', then set the
> sniffing interface with 'snort -i <intf>'
> 
>     -Marty
> 
> bulent_sahin at ...3967... wrote:
> >
> > Hi,
> >
> > Does anybody know about token ring support of snort?A few days ago I
> > installed snort on my computer, but when I try "snort -v" it assumes
> > that all packets are ethernet packets.  Winpcap and ethereal works
> > fine. I  pasted "snort -v" output below.
> >
> > C:\Downloads\Snort-1.8.1-win32-static\Snort-1.8.1-win32\snort -v
> > Log directory =
> >
> >         --== Initializing Snort ==--
> >
> > Initializing Network Interface \
> > Decoding Ethernet on interface \Device\Packet_MDGNDIS41
> >
> >         --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 1.8-WIN32 (Build 74)
> > By Martin Roesch (roesch at ...1935..., www.snort.org)
> > 1.7-WIN32 Port By Michael Davis (mike at ...92..., ww
> > 1.8-WIN32 Port By Chris Reid (chris.reid at ...3968...
> >           (based on code from 1.7 port)
> >
> > =======================================================
> > Snort analyzed 1312 out of 1312 packets, dropping 0(0.0
> >
> > Breakdown by protocol:                Action Stats:
> >     TCP: 0          (0.000%)          ALERTS: 0
> >     UDP: 0          (0.000%)          LOGGED: 0
> >    ICMP: 0          (0.000%)          PASSED: 0
> >     ARP: 0          (0.000%)
> >    IPv6: 0          (0.000%)
> >     IPX: 0          (0.000%)
> >   OTHER: 1311       (99.924%)
> > DISCARD: 0          (0.000%)
> > =======================================================
> > Fragmentation Stats:
> > Fragmented IP Packets: 0          (0.000%)
> >     Fragment Trackers: 0
> >    Rebuilt IP Packets: 0
> >    Frag elements used: 0
> > Discarded(incomplete): 0
> >    Discarded(timeout): 0
> >   Frag2 memory faults: 0
> > =======================================================
> > TCP Stream Reassembly Stats:
> >         TCP Packets Used: 0          (0.000%)
> >          Stream Trackers: 0
> >           Stream flushes: 0
> >            Segments used: 0
> >    Stream4 Memory Faults: 0
> > =======================================================
> > pcap_loop: read error: PacketReceivePacket failedpcap_s
> > r
> > Snort received signal 3, exiting
> >
> > Thanks,
> > Bulent
> 
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list