[Snort-users] Promiscuouls Mode Question

J. Craig Woods drjung at ...2066...
Sun Sep 2 17:40:03 EDT 2001


Erek Adams wrote:
> 
> On Sun, 2 Sep 2001, Jim Kipp wrote:
> 
> > If I run snort or tcpdump(on eth0), then do ifconfig -a eth0, it does
> > not report PROMISC. Only when I manually set promisc does it report it.
> > But tcpdump seems to be sniffing everything.  Is this normal?
> 
> Well, I'm not a cable modem user, but I play one in 'The Young and The
> Restless'...  ;-)
> 
> Seriously, look at the traffic.  Is it only traffic bound for your IP?  If so,
> you're seeing what you should be when not in promisc mode.  If that's the
> case, then yes, it's all working as it should.
> 
> Try doing a 'tcpdump not host <foo>' with <foo> being your host.  If you see
> traffic to/from other boxes other than ARP, then there is something kinda odd
> going on.
> 
> Hope this helps!
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 

I saw you, and a hell of a performance it was!!!!




More information about the Snort-users mailing list